If you are using Kubernetes with CircleCI there is a simple way for engineers to ship secrets using the Environment Variables feature and an appropriate prefix.

Add your environment variables

Insert an environment variable with the appropriate prefix.

To generate the Kubernetes Secrets Manifest in your code have a CircleCI task to generate the variables with the following script.

Code to Generate Secrets

!/usr/bin/env python



import base64

import os

import json

import sys



environment = sys.argv[1]

environment = environment.upper()



# Only grab the variables that are pertinent to the environment.

data = {}

for env, val in os.environ.iteritems():

if env.startswith(environment):

data[env[len(environment)+1:]] = base64.standard_b64encode(val)



json_output = {

"apiVersion": "v1",

"kind": "Secret",

"metadata": {

"name": environment.lower()

},

"type": "Opaque",

"data": data,

}



print json.dumps(json_output)

Now whenever ./envtokubesecrets.py production > production-secrets.json is called it looks for env variables that start with PRODUCTION and generates a manifest.

To apply this manifest run kubectl apply -f production-secrets.json it