CODEWITHSUNDEEP
kubernetesdatadogconfigmapkubernetes-secrets
Subha_26
Subha_26

Reputation: 450

How to add API key confidentially inside config map?

I am new to K8s. I am trying to deploy a Datadog agent to my cluster to collect logs and this happens through a ConfigMap.

apiVersion: v1
kind: ConfigMap
metadata:
  name: fluent-cm
data:
  fluent-bit.conf: |
    [SERVICE]
        Parsers_File     parsers.conf
    
    [INPUT]
        name              tail
        path              /tmp/app.log
        parser            nginx

    [OUTPUT]
        Name           datadog
        Match          *
        Host           http-intake.logs.datadoghq.com
        TLS            off
        apikey         <API key to be used confidentially>
        dd_service     abcd
        dd_source      abcd
        dd_tags        env:dev

  parsers.conf: |
    [PARSER]
        Name   nginx
        Format regex
        Regex ^(?<remote>[^ ]*) (?<host>[^ ]*) (?<user>[^ ]*) \[(?<time>[^\]]*)\] "(?<method>\S+)(?: +(?<path>[^\"]*?)(?: +\S*)?)?" (?<code>[^ ]*) (?<size>[^ ]*)(?: "(?<referer>[^\"]*))" "(?<agent>[^\"]*)"(?: "(?<target>[^\"]*))"$
        Time_Key time
        Time_Format %d/%b/%Y:%H:%M:%S %z

I do not want to add the API key as plain text. Can I do it using secrets? Please suggest ways to achieve this.

P.S: I need to use the config map in order to add the Datadog agent, and hence the config map cannot be replaced.

Upvotes: 1

Views: 819

Answers (1)

user15659347
user15659347

Reputation:

In theory you could Secret as a environment variable, and pass it to a Pod using ConfigMap.

apiVersion: v1
kind: Secret
metadata:
  name: fluentbit-secret-test
type: Opaque
data:
  apikey: <base64 encoded api key>

apiVersion: v1
kind: ConfigMap
metadata:
  name: fluent-cm
data:
  fluent-bit.conf: |
...
        apikey         $FLUENTBIT_API_KEY
...

apiVersion: v1
kind: Pod
metadata:
  name: secret-env-test
spec:
  containers:
  - name: test
    image: nginx
    env:
      - name: FLUENTBIT_API_KEY
        valueFrom:
          secretKeyRef:
            name: fluentbit-secret-test
            key: apikey

However, you must remember, that Kubernetes Secrets are not encrypted by default, only base64 encoded. Anyone with API access can retrieve or modify a Secret, and so can anyone with access to etcd

Upvotes: 1

Related Questions