docs-source/docs/modules/deployment/pages/config-secret.adoc - pekko-platform-guide - Git at Google

 = Secrets and environment configuration
 :page-toclevels: 3

 include::partial$include.adoc[]

 The Akka Operator has support for managing https://kubernetes.io/docs/concepts/configuration/secret/[Kubernetes Secrets {tab-icon}, window="tab"] that can be used, for example, as credentials for custom integrations. Note that the operator has specific and more convenient support for xref:integrations.adoc[certain integrations].

 == Secrets

 Secrets with entries that will be mounted as files can be defined in `secretVolumes` of the deployment descriptor.

 .kubernetes/shopping-cart-service-cr.yml
 [source,yaml]
 ----
 apiVersion: pekko.apache.org/v1
 kind: PekkoMicroservice
 metadata:
   name: shopping-cart-service
 spec:
   image: <image>
   secretVolumes:
     - secretName: shopping-cart-service-secret
       mountPath: "/etc/secret-volume"
 ----

 The Secret can be created with for example:

 [source,shell script]
 ----
 kubectl create secret generic \
     shopping-cart-service-secret \
     --from-file=connect.zip=secure-connect-bundle.zip
 ----

 You can see the mounted files with:

 [source,shell script]
 ----
 kubectl exec -i -t <pod name> -- /bin/bash

 ls /etc/secret-volume
 ----

 == Environment variables

 Environment variables can be used for the configuration of custom integrations.

 https://kubernetes.io/docs/concepts/configuration/secret/[Secrets {tab-icon}, window="tab"] with entries that will be included as environment variables be defined in `envSecret` of the deployment descriptor.

 .kubernetes/shopping-cart-service-cr.yml
 [source,yaml]
 ----
 apiVersion: pekko.apache.org/v1
 kind: PekkoMicroservice
 metadata:
   name: shopping-cart-service
 spec:
   image: <image>
   envSecret:
     secretName: shopping-cart-service-env
 ----

 The application.conf can use such environment variables with:

 [source,conf]
 ----
       username = ${?DB_USER}
       password = ${?DB_PWD}
 ----

 The Secret can be created with for example:

 [source,conf]
 ----
 kubectl create secret generic \
     shopping-cart-service-env \
     --from-literal=DB_USER=scott \
     --from-literal=DB_PWD=tiger
 ----

 == Configuration

 For environment specific configuration that will override the application.conf in the image (jar) you can define configuration in the https://kubernetes.io/docs/concepts/configuration/secret/[Secrets {tab-icon}, window="tab"] specified by the `configSecret` in the deployment descriptor.

 The entries in the Secret will be concatenated into a `main.conf` together with configuration provided by the operator. The `main.conf` includes `application.conf` and will be loaded when the `ActorSystem` is started.

 .kubernetes/shopping-cart-service-cr.yml
 [source,yaml]
 ----
 apiVersion: pekko.apache.org/v1
 kind: PekkoMicroservice
 metadata:
   name: shopping-cart-service
 spec:
   image: <image>
   configSecret:
     secretName: shopping-cart-service-config
 ----

 The Secret can be created with for example:

 [source,shell script]
 ----
 kubectl create secret generic \
     shopping-cart-service-config \
     --from-file=logging.conf=kubernetes/logging.conf \
     --from-file=environment.conf=kubernetes/environment.conf
 ----

 You can see the mounted `main.conf` with:

 [source,shell script]
 ----
 kubectl exec -i -t <pod name> -- /bin/bash

 cat /etc/config-volume/main.conf
 ----

 [#main-conf]
 == Application configuration in the Pod

 The Akka Operator will automatically provide configuration for the xref:integrations.adoc[Integrations] to the application.

 For troubleshooting it can be good to know how the configuration is loaded.

 The configuration that the Akka Operator provides via a Secret is located in `/etc/config-volume/main.conf` in the Pod. The `main.conf` includes `application.conf` and the JVM system property `config.file` is set to `main.conf` by the operator. In other words, `main.conf` will be used when the application starts the `ActorSystem` without specifying a configuration, or when using `ConfigFactory.load()`.

 You can see the mounted `main.conf` with:

 [source,shell script]
 ----
 kubectl exec -i -t <pod name> -- /bin/bash

 cat /etc/config-volume/main.conf
 ----
	= Secrets and environment configuration
	:page-toclevels: 3

	include::partial$include.adoc[]

	The Akka Operator has support for managing https://kubernetes.io/docs/concepts/configuration/secret/[Kubernetes Secrets {tab-icon}, window="tab"] that can be used, for example, as credentials for custom integrations. Note that the operator has specific and more convenient support for xref:integrations.adoc[certain integrations].

	== Secrets

	Secrets with entries that will be mounted as files can be defined in `secretVolumes` of the deployment descriptor.

	.kubernetes/shopping-cart-service-cr.yml
	[source,yaml]
	----
	apiVersion: pekko.apache.org/v1
	kind: PekkoMicroservice
	metadata:
	name: shopping-cart-service
	spec:
	image: <image>
	secretVolumes:
	- secretName: shopping-cart-service-secret
	mountPath: "/etc/secret-volume"
	----

	The Secret can be created with for example:

	[source,shell script]
	----
	kubectl create secret generic \
	shopping-cart-service-secret \
	--from-file=connect.zip=secure-connect-bundle.zip
	----

	You can see the mounted files with:

	[source,shell script]
	----
	kubectl exec -i -t <pod name> -- /bin/bash

	ls /etc/secret-volume
	----

	== Environment variables

	Environment variables can be used for the configuration of custom integrations.

	https://kubernetes.io/docs/concepts/configuration/secret/[Secrets {tab-icon}, window="tab"] with entries that will be included as environment variables be defined in `envSecret` of the deployment descriptor.

	.kubernetes/shopping-cart-service-cr.yml
	[source,yaml]
	----
	apiVersion: pekko.apache.org/v1
	kind: PekkoMicroservice
	metadata:
	name: shopping-cart-service
	spec:
	image: <image>
	envSecret:
	secretName: shopping-cart-service-env
	----

	The application.conf can use such environment variables with:

	[source,conf]
	----
	username = ${?DB_USER}
	password = ${?DB_PWD}
	----

	The Secret can be created with for example:

	[source,conf]
	----
	kubectl create secret generic \
	shopping-cart-service-env \
	--from-literal=DB_USER=scott \
	--from-literal=DB_PWD=tiger
	----

	== Configuration

	For environment specific configuration that will override the application.conf in the image (jar) you can define configuration in the https://kubernetes.io/docs/concepts/configuration/secret/[Secrets {tab-icon}, window="tab"] specified by the `configSecret` in the deployment descriptor.

	The entries in the Secret will be concatenated into a `main.conf` together with configuration provided by the operator. The `main.conf` includes `application.conf` and will be loaded when the `ActorSystem` is started.

	.kubernetes/shopping-cart-service-cr.yml
	[source,yaml]
	----
	apiVersion: pekko.apache.org/v1
	kind: PekkoMicroservice
	metadata:
	name: shopping-cart-service
	spec:
	image: <image>
	configSecret:
	secretName: shopping-cart-service-config
	----

	The Secret can be created with for example:

	[source,shell script]
	----
	kubectl create secret generic \
	shopping-cart-service-config \
	--from-file=logging.conf=kubernetes/logging.conf \
	--from-file=environment.conf=kubernetes/environment.conf
	----

	You can see the mounted `main.conf` with:

	[source,shell script]
	----
	kubectl exec -i -t <pod name> -- /bin/bash

	cat /etc/config-volume/main.conf
	----

	[#main-conf]
	== Application configuration in the Pod

	The Akka Operator will automatically provide configuration for the xref:integrations.adoc[Integrations] to the application.

	For troubleshooting it can be good to know how the configuration is loaded.

	The configuration that the Akka Operator provides via a Secret is located in `/etc/config-volume/main.conf` in the Pod. The `main.conf` includes `application.conf` and the JVM system property `config.file` is set to `main.conf` by the operator. In other words, `main.conf` will be used when the application starts the `ActorSystem` without specifying a configuration, or when using `ConfigFactory.load()`.

	You can see the mounted `main.conf` with:

	[source,shell script]
	----
	kubectl exec -i -t <pod name> -- /bin/bash

	cat /etc/config-volume/main.conf
	----