I am new to K8s. I am trying to deploy a Datadog agent to my cluster to collect logs and this happens through a ConfigMap.
apiVersion: v1
kind: ConfigMap
metadata:
name: fluent-cm
data:
fluent-bit.conf: |
[SERVICE]
Parsers_File parsers.conf
[INPUT]
name tail
path /tmp/app.log
parser nginx
[OUTPUT]
Name datadog
Match *
Host http-intake.logs.datadoghq.com
TLS off
apikey <API key to be used confidentially>
dd_service abcd
dd_source abcd
dd_tags env:dev
parsers.conf: |
[PARSER]
Name nginx
Format regex
Regex ^(?<remote>[^ ]*) (?<host>[^ ]*) (?<user>[^ ]*) \[(?<time>[^\]]*)\] "(?<method>\S+)(?: +(?<path>[^\"]*?)(?: +\S*)?)?" (?<code>[^ ]*) (?<size>[^ ]*)(?: "(?<referer>[^\"]*))" "(?<agent>[^\"]*)"(?: "(?<target>[^\"]*))"$
Time_Key time
Time_Format %d/%b/%Y:%H:%M:%S %z
I do not want to add the API key as plain text. Can I do it using secrets? Please suggest ways to achieve this.
P.S: I need to use the config map in order to add the Datadog agent, and hence the config map cannot be replaced.
In theory you could Secret as a environment variable, and pass it to a Pod using ConfigMap.
apiVersion: v1
kind: Secret
metadata:
name: fluentbit-secret-test
type: Opaque
data:
apikey: <base64 encoded api key>
apiVersion: v1
kind: ConfigMap
metadata:
name: fluent-cm
data:
fluent-bit.conf: |
...
apikey $FLUENTBIT_API_KEY
...
apiVersion: v1
kind: Pod
metadata:
name: secret-env-test
spec:
containers:
- name: test
image: nginx
env:
- name: FLUENTBIT_API_KEY
valueFrom:
secretKeyRef:
name: fluentbit-secret-test
key: apikey
However, you must remember, that Kubernetes Secrets are not encrypted by default, only base64 encoded. Anyone with API access can retrieve or modify a Secret, and so can anyone with access to etcd