Integrating Secrets into Your Deployments
So far, this chapter has been focused on how to store and manage secret data. We’ve covered different strategies for managing secrets with their associated risks and benefits. In this section, the focus will be on consuming that secret data in your workloads.
There are four ways that a workload can consume secret data:
- Volume Mounts – Similar to reading a file from a
PersistentVolumeClaim
, secrets can be mounted to aPod
and be accessed as a file. This approach can be used with both external secrets and withSecret
objects. This is generally the preferred approach when working with security teams. If aSecret
is updated while aPod
is running, the volume will eventually get updated, though this can take some time based on your Kubernetes distribution. - Environment Variables – Secret data can be injected into environment variables and consumed from the workload like any other environment variable. This is often referred to...