Use secrets in Swarm deployments¶
This topic describes how to create and use secrets with MKE by showing you how to deploy a WordPress application that uses a secret for storing a plaintext password. Other sensitive information you might use a secret to store includes TLS certificates and private keys. MKE allows you to securely store secrets and configure who can access and manage them using role-based access control (RBAC).
The application you will create in this topic includes the following two services:
wordpress
Apache, PHP, and WordPress
wordpress-db
MySQL database
The following example stores a password in a secret, and the secret is stored in a file inside the container that runs the services you will deploy. The services have access to the file, but no one else can see the plaintext password. To make things simple, you will not configure the database to persist data, and thus when the service stops, the data is lost.
To create a secret:
Log in to the MKE web UI.
Navigate to Swarm > Secrets and click Create.
Note
After you create the secret, you will not be able to edit or see the secret again.
Name the secret
wordpress-password-v1
.In the Content field, assign a value to the secret.
Optional. Define a permission label so that other users can be given permission to use this secret.
Note
To use services and secrets together, they must either have the same permission label or no label at all.
To create a network for your services:
Navigate to Swarm > Networks and click Create.
Create a network called
wordpress-network
with the default settings.
To create the MySQL service:
Navigate to Swarm > Services and click Create.
Under Service Details, name the service
wordpress-db
.Under Task Template, enter
mysql:5.7
.In the left-side menu, navigate to Network, click Attach Network +, and select wordpress-network from the drop-down.
In the left-side menu, navigate to Environment, click Use Secret +, and select wordpress-password-v1 from the drop-down.
Click Confirm to associate the secret with the service.
Scroll down to Environment variables and click Add Environment Variable +.
Enter the following string to create an environment variable that contains the path to the password file in the container:
MYSQL_ROOT_PASSWORD_FILE=/run/secrets/wordpress-password-v1
If you specified a permission label on the secret, you must set the same permission label on this service.
Click Create to deploy the MySQL service.
This creates a MySQL service that is attached to the wordpress-network
network and that uses the wordpress-password-v1
secret. By default, this
creates a file with the same name in /run/secrets/<secret-name>
inside the
container running the service.
We also set the MYSQL_ROOT_PASSWORD_FILE
environment variable to
configure MySQL to use the content of the
/run/secrets/wordpress-password-v1
file as the root password.
To create the WordPress service:
Navigate to Swarm > Services and click Create.
Under Service Details, name the service
wordpress
.Under Task Template, enter
wordpress:latest
.In the left-side menu, navigate to Network, click Attach Network +, and select wordpress-network from the drop-down.
In the left-side menu, navigate to Environment, click Use Secret +, and select wordpress-password-v1 from the drop-down.
Click Confirm to associate the secret with the service.
Scroll down to Environment variables and click Add Environment Variable +.
Enter the following string to create an environment variable that contains the path to the password file in the container:
WORDPRESS_DB_PASSWORD_FILE=/run/secrets/wordpress-password-v1
Add another environment variable and enter the following string:
WORDPRESS_DB_HOST=wordpress-db:3306
If you specified a permission label on the secret, you must set the same permission label on this service.
Click Create to deploy the WordPress service.
This creates a WordPress service that is attached to the same network as the MySQL service so that they can communicate, and maps the port 80 of the service to port 8000 of the cluster routing mesh.
Once you deploy this service, you will be able to access it on port 8000 using the IP address of any node in your MKE cluster.
To update a secret:
If the secret is compromised, you need to change it, update the services that use it, and delete the old secret.
Create a new secret named
wordpress-password-v2
.From Swarm > Secrets, select the wordpress-password-v1 secret to view all the services that you need to update. In this example, it is straightforward, but that will not always be the case.
Update wordpress-db to use the new secret.
Update the
MYSQL_ROOT_PASSWORD_FILE
environment variable with either of the following methods:Update the environment variable directly with the following:
MYSQL_ROOT_PASSWORD_FILE=/run/secrets/wordpress-password-v2
Mount the secret file in
/run/secrets/wordpress-password-v1
by setting the Target Name field withwordpress-password-v1
. This mounts the file with thewordpress-password-v2
content in/run/secrets/wordpress-password-v1
.
Delete the
wordpress-password-v1
secret and click Update.Repeat the foregoing steps for the WordPress service.