Passing Secrets to the Correlator With Docker and Kubernetes

Docker and Kubernetes both provide a means for passing encrypted data into your application through secrets.

To demonstrate this, a new sample has been added to our GitHub repository.

This sample demonstrates how to set the variable CORRELATOR_NAME using a secret, which is then read by a configuration file which is loaded into the correlator.

These secrets could be used for securely passing credentials to HTTP/REST clients. An example of doing this to access the API is shown below (all commands are for Linux). This demonstration is an adaptation of the samples\connectivity_plugin\application\weather sample shipped with Apama.

Creating a Docker Secret

  1. Create a docker secret using the docker secret tool, for example

    echo "APPID=key-11111111111" | docker secret create -
  2. Build the sample

    docker build -t weatherSample .
  3. Create the service in detached mode, passing in the secret

    docker service create --name weatherSample -d weatherSample
  4. Inspect the logs to ensure everything is working as expected

    docker service logs weatherSample

Creating a Kubernetes Secret

  1. Create a Kubernetes secret with the data you want to pass in, for example, secret.yml:

  1. Create your pod, referencing the secret you created, for example kubernetes.yml:

  1. Create your secret: “kubectl create -f ./secret.yml"

  2. Build the image: “docker build -t sample ."

  3. Tag the image: “docker tag sample registry/org/repository:image"

  4. Push the image: “docker push registry/org/repository:image"

  5. Start the sample: “kubectl create -f kubernetes.yml"

  6. Inspect the logs: “kubectl logs sample"

Using the Secret

Allow your correlator to see this secret in your Dockerfile, for exampleCMD ["correlator", "--config", "/run/secrets/"]

In your correlator configuration file, reference the variable set in your secret. In this case, we want to append APPID={value of weather_api_key}, like so:

In your EPL, send a HTTP request (in this case for the weather in London), and have the APPID automatically appended onto the end of the request:

Removing a Secret

Note that you must explicitly remove a secret. This is done in Docker with:

docker secret rm

And in Kubernetes with:

kubectrl delete -f secret.yml

— Antony