my-docs/Containerization-Orchestration/Kubernetes/workloads/13-Secret.md

# 🔐 Kubernetes Secrets Guide

Kubernetes **Secrets** are used to store and manage sensitive information such as passwords, OAuth tokens, and SSH keys. Unlike ConfigMaps, they are specifically designed for confidential data.

---

## 📌 Types of Kubernetes Secrets

| **Built-in Type**                     | **Usage**                               |
| ------------------------------------- | --------------------------------------- |
| `Opaque`                              | Arbitrary user-defined data             |
| `kubernetes.io/service-account-token` | ServiceAccount token                    |
| `kubernetes.io/dockercfg`             | Serialized `~/.dockercfg` file          |
| `kubernetes.io/dockerconfigjson`      | Serialized `~/.docker/config.json` file |
| `kubernetes.io/basic-auth`            | Credentials for basic authentication    |
| `kubernetes.io/ssh-auth`              | Credentials for SSH authentication      |
| `kubernetes.io/tls`                   | Data for a TLS client or server         |
| `bootstrap.kubernetes.io/token`       | Bootstrap token data                    |

---

## 📂 Creating a Secret

You can create a Secret directly with `kubectl`:

```bash
kubectl create secret generic db-pass --from-literal=password='123'
```

Verify it exists:

```bash
kubectl get secret db-pass
```

---

## 📜 Secret YAML Example

```yaml
apiVersion: v1
kind: Secret
metadata:
  name: db-pass
type: Opaque
stringData:
  password: '123'
```

---

## 🚀 Using a Secret in a Pod

Secrets can be injected into a Pod as **environment variables**:

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: mariadb-db
spec:
  containers:
    - name: mariadb
      image: mariadb
      env:
        - name: MARIADB_ROOT_PASSWORD
          valueFrom:
            secretKeyRef:
              name: db-pass
              key: password
```

This example sets the MariaDB root password from the `db-pass` Secret.

---

✅ **Pro Tip**: Always base64-encode values when writing Secrets directly in YAML. Kubernetes expects the `data` field in base64, not plaintext.