Goal of this walkthrough is to demonstrate how to use secretgen-controller to general some secret material in a Kubernetes cluster. We will use examples/passwords.yml directory as our YAML configuration.
You can use kubectl (or another tool) to deploy YAML examples below. We've chosen kapp.
-
Start by installing secretgen-controller onto cluster
-
Install examples/passwords.yml. It tells secretgen-controller to generate three passwords.
$ kapp deploy -a passwords -f https://raw.githubusercontent.com/carvel-dev/secretgen-controller/develop/examples/passwords.yml
# or... kubectl apply -f https://raw.githubusercontent.com/carvel-dev/secretgen-controller/develop/examples/passwords.yml
Target cluster 'https://x.x.x.x' (nodes: gke-dk-jan-9-default-pool-a218b1c9-55sl, 3+)
Changes
Namespace Name Kind Conds. Age Op Wait to Rs Ri
default long-user-password Password - - create reconcile - -
^ postgresql-password Password - - create reconcile - -
^ user-password Password - - create reconcile - -
Rs: Reconcile state
Ri: Reconcile information
Op: 3 create, 0 delete, 0 update, 0 noop
Wait to: 3 reconcile, 0 delete, 0 noop
Continue? [yN]: y
4:03:53PM: ---- applying 3 changes [0/3 done] ----
4:03:53PM: create password/user-password (secretgen.k14s.io/v1alpha1) namespace: default
4:03:53PM: create password/long-user-password (secretgen.k14s.io/v1alpha1) namespace: default
4:03:53PM: create password/postgresql-password (secretgen.k14s.io/v1alpha1) namespace: default
4:03:53PM: ---- waiting on 3 changes [0/3 done] ----
4:03:54PM: ok: reconcile password/user-password (secretgen.k14s.io/v1alpha1) namespace: default
4:03:54PM: L ok: waiting on secret/user-password (v1) namespace: default
4:03:54PM: ok: reconcile password/long-user-password (secretgen.k14s.io/v1alpha1) namespace: default
4:03:54PM: L ok: waiting on secret/long-user-password (v1) namespace: default
4:03:55PM: ok: reconcile password/postgresql-password (secretgen.k14s.io/v1alpha1) namespace: default
4:03:55PM: L ok: waiting on secret/postgresql-password (v1) namespace: default
4:03:55PM: ---- applying complete [3/3 done] ----
4:03:55PM: ---- waiting complete [3/3 done] ----
Succeeded- Make sure that associated
Secretresources were created. There should be three resourcesuser-password,long-user-password, andpostgresql-password-- named the same as theirPasswordcustom resources.
$ kapp inspect -a passwords --tree
Target cluster 'https://x.x.x.x' (nodes: gke-dk-jan-9-default-pool-a218b1c9-55sl, 3+)
Resources in app 'passwords'
Namespace Name Kind Owner Conds. Rs Ri Age
default postgresql-password Password kapp 1/1 t ok - 25s
default L postgresql-password Secret cluster - ok - 25s
default user-password Password kapp 1/1 t ok - 25s
default L user-password Secret cluster - ok - 25s
default long-user-password Password kapp 1/1 t ok - 25s
default L long-user-password Secret cluster - ok - 25s
Rs: Reconcile state
Ri: Reconcile information
6 resources
Succeeded- Here is another way to look at them. Note that
postgresql-passwordsecret is of typeOpaque. It will have a different data KVs compared tolong-user-passwordanduser-password.
$ kubectl get secret
NAME TYPE DATA AGE
long-user-password kubernetes.io/basic-auth 1 2m8s
postgresql-password Opaque 1 2m8s
user-password kubernetes.io/basic-auth 1 2m8s- Let's see what is generated within
kubernetes.io/basic-authtype secrets. TwoPasswordcustom resources were configured to generate passwords of different lengths via theirspec.lengthfield.
$ kubectl get secret user-password -o jsonpath='{.data.password}' | base64 -D
lek1rd83fi8nquh56fpy9ojit547thr7ast746g9
$ kubectl get secret long-user-password -o jsonpath='{.data.password}' | base64 -D
5enadb1fzztqcchb26n4oz1lmwnrvslounj81mkj9fh3b99aqu0w4scwsaa9rb4bkaaag33mef21vq3zohxz72byd4dkele7v3w5i3gw3l5w7wa68e5pqbkopu7spostgresql-passwordsecret was configured to have a different data KVs by specifyingspec.secretTemplate.
$ kubectl get secret postgresql-password -o jsonpath='{.data.postgresql-password}' | base64 -D
46788fn7ft5grfdptcxts0qxlqbqp5jua9umrp59- After looking around, we can delete all resources.
Secretsgenerated by the controller are owned by individualPasswordresources, and hence will be deleted when their owningPasswordresource is deleted. To retainSecretsyou can clear out theirmetadata.ownerReferences[*].
$ kapp delete -a passwords
Target cluster 'https://x.x.x.x' (nodes: gke-dk-jan-9-default-pool-a218b1c9-55sl, 3+)
Changes
Namespace Name Kind Conds. Age Op Wait to Rs Ri
default long-user-password Password 1/1 t 7m delete delete ok -
^ long-user-password Secret - 7m - delete ok -
^ postgresql-password Password 1/1 t 7m delete delete ok -
^ postgresql-password Secret - 7m - delete ok -
^ user-password Password 1/1 t 7m delete delete ok -
^ user-password Secret - 7m - delete ok -
Rs: Reconcile state
Ri: Reconcile information
Op: 0 create, 3 delete, 0 update, 3 noop
Wait to: 0 reconcile, 6 delete, 0 noop
Continue? [yN]: y
4:11:21PM: ---- applying 6 changes [0/6 done] ----
4:11:21PM: delete password/postgresql-password (secretgen.k14s.io/v1alpha1) namespace: default
4:11:21PM: delete password/user-password (secretgen.k14s.io/v1alpha1) namespace: default
4:11:21PM: noop secret/long-user-password (v1) namespace: default
4:11:21PM: noop secret/postgresql-password (v1) namespace: default
4:11:21PM: noop secret/user-password (v1) namespace: default
4:11:21PM: delete password/long-user-password (secretgen.k14s.io/v1alpha1) namespace: default
4:11:21PM: ---- waiting on 6 changes [0/6 done] ----
4:11:21PM: ok: delete password/postgresql-password (secretgen.k14s.io/v1alpha1) namespace: default
4:11:22PM: ok: delete password/user-password (secretgen.k14s.io/v1alpha1) namespace: default
4:11:22PM: ok: delete secret/long-user-password (v1) namespace: default
4:11:22PM: ok: delete secret/postgresql-password (v1) namespace: default
4:11:22PM: ok: delete secret/user-password (v1) namespace: default
4:11:22PM: ok: delete password/long-user-password (secretgen.k14s.io/v1alpha1) namespace: default
4:11:22PM: ---- applying complete [6/6 done] ----
4:11:22PM: ---- waiting complete [6/6 done] ----
Succeeded- Refer to Docs TOC for details