-
-
Notifications
You must be signed in to change notification settings - Fork 102
Expand file tree
/
Copy pathsecret-auth.yaml
More file actions
73 lines (67 loc) · 2.86 KB
/
secret-auth.yaml
File metadata and controls
73 lines (67 loc) · 2.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# Example: Kubernetes Secret for Basic Authentication Password
# This file shows how to create a secret containing a plaintext password for sql-exporter basic auth
#
# There are multiple ways to create this secret:
# ============================================================================
# Method 1: kubectl create secret (Recommended - simplest)
# ============================================================================
# Create a secret with a plaintext password:
#
# kubectl create secret generic sql-exporter-auth \
# --from-literal=password='your-secure-password' \
# --namespace=your-namespace
#
# The password should be:
# - Strong and unique
# - At least 16 characters
# - Not shared with other services
# ============================================================================
# Method 2: kubectl apply -f (from YAML manifest)
# ============================================================================
# If you want to store the secret definition in version control:
#
# Step 1: Base64 encode your password:
# Linux/Mac:
# echo -n 'your-secure-password' | base64
# Windows PowerShell:
# [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes('your-secure-password'))
#
# Step 2: Copy the base64 value into the YAML below and apply:
# kubectl apply -f secret-auth.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: sql-exporter-auth
namespace: default # Change to your namespace
labels:
app: sql-exporter
type: Opaque
data:
# Base64-encoded plaintext password
# This example encodes: "MySecurePassword123!"
# Replace this with your actual base64-encoded password
password: TXlTZWN1cmVQYXNzd29yZDEyMyE=
# ============================================================================
# Verify the secret
# ============================================================================
# After creating the secret, verify it:
#
# kubectl get secret sql-exporter-auth
# kubectl describe secret sql-exporter-auth
#
# Retrieve the plaintext password (for verification):
#
# kubectl get secret sql-exporter-auth -o jsonpath='{.data.password}' | base64 -d
# ============================================================================
# Important Notes
# ============================================================================
# 1. The secret MUST be in the same namespace as the sql-exporter pod
# 2. The password is stored in PLAINTEXT (not bcrypt) - it will be hashed at pod startup
# 3. The default key name is 'password' but can be customized via:
# webConfig.basicAuth.initFromSecret.secretKey
# 4. For production, use a proper secrets management solution (Vault, External Secrets, etc.)
# 5. Never commit plaintext passwords to version control
# 6. Rotate passwords regularly
# 7. The init container (httpd:alpine) uses htpasswd to bcrypt hash the password
# with the cost specified in webConfig.basicAuth.bcryptCost (default: 12)