This topic explains how to store sensitive data in a Kubernetes secret and retrieve the data from flow variables in an API proxy flow.

Introduction

There are times when you want to store data for retrieval at runtime—non-expiring data that shouldn't be hard-coded in your API proxy logic. One option is to use the hybridkey-value map (KVM) feature. If you are already using Kubernetesfor secret management in a custom vault for sensitive data, you might want to consider usingthe Kubernetes secret feature described in this topic. Just like with KVM data, you can accessthe Kubernetes secret data in API proxy flow variables.

What kinds of data can be stored in a Kubernetes secret?

Apigee hybrid limits you to storing the following kinds of data files in a Kubernetes secret. They include:

Property files are files that contain key/value pairs. For example:

username=adminpassword=1f2d1e2e7df

Creating a Kubernetes secret

This section explains how to create a Kubernetes secret for storing sensitive data in the cluster.

1. Create the file or files that you wish to store in the Kubernetes secret. The files must be one of the supported formats with the file extensions listed inWhat kinds of data can be stored in a Kubernetes secret.
2. Execute thekubectl create secret generic command. For example:

   kubectl -nnamespace create secret genericorg-env-policy-secret \  --from-file=filepath/prop-file.properties \  --from-file=filepath/key-file.key \  --from-file="filepath/cert-file.pem

   Where:

   • namespace: The Kubernetes namespace where your runtime components are deployed.
   • org: Your Apigee organization name.
   • env: The name of an environment in your org.
   • filepath: The path to the file you wish to include in the secret. You must specify at least one file to include in the secret.
   • prop-file: The name of a properties file to include in the secret.
   • key-file: The name of a TLS key file to include in the secret.
   • cert-file: The name of a TLS certificate file to include in the secret.

   You can include one or more files in the secret. For example:

   kubectl -n apigee create secret generic myorg-test-policy-secret \  --from-file="$policy_secrets_path"/credential.properties \  --from-file="$policy_secrets_path"/secrets.properties \  --from-file="$policy_secrets_path"/public.key \  --from-file="$policy_secrets_path"/fullchain.pem

After creation, it may take up to 90 seconds for the change to be reflected in all the clusters. The message processors poll for secret changes every 30 seconds. If they detect a change, the cache is updated.

Retrieving data from a secret

Once the secret is created and available (usually about 90 seconds after creation), you can access the secret data in a flow variable in an API proxy flow in the organization/environment in which the secret is stored. For example, assume your secret contains a*.properties file calledcredentials.properties with an API key in it, as follows:

apikey=OrxYQptBMlY1TqmiGLTtyFiaLzzrD25Z

You can then retrieve the API key from a flow variable using a policy like Assign Message. For example:

<AssignMessagename="assignvariable-2"><AssignVariable><Name>my-apikey</Name><Ref>private.secret.credential.properties.apikey</Ref></AssignVariable></AssignMessage>

The variable name referenced in theRef element,private.secret.credential.properties.apikey, is composed of these parts:

In this example, the Assign Message policy retireves theapikey valueOrxYQptBMlY1TqmiGLTtyFiaLzzrD25Z and stores it in the flow variablemy-apikey.

Updating a secret

Becausekubectl does not support updating Kubernetes secrets, you must first delete the existing secret and recreate it by following the steps inCreating a Kubernetes secret.