- Backlog: Pivotal Tracker
- Slack: #quarks-dev on https://slack.cloudfoundry.org
- Docker: https://hub.docker.com/r/cfcontainerization/quarks-secret/tags
- Helm hub
Quarks Secret lets you automatically generate secrets such as passwords, certificates and ssh keys, to ease management of credentials in Kubernetes.
Add the quarks repository to helm if you haven’t already:
The simplest way to install the latest release of
Quarks Secret, is by using helm 3 with the default values:
The operator will watch for
QuarksSecret resources in a separate namespace from the one it has been deployed to. By default, it creates a namespace
staging and starts watching it.
A complete list of the chart settings is available here.
Can be managed as a standard helm package:
so just be sure to keep your customization in a values file
Watching multiple namespaces
By default the component will watch for resources created in the
staging namespace, but it can be configured to watch over multiple namespaces.
Refer to the quarks-operator instructions as they are shared between all the
Overview of Quarks Secret
A QuarkSecret is a Kubernetes Object that contains instuctions on the type of Kubernetes Secret that must be generated which can be later referenced in a Pod.
For instance, to generate a basic auth password, we can apply the following yaml with
type field denotes the type of secret that should be generated, currently quarks-secret supports the following types:
Quarks Secret can be used to generate passwords, certificates and keys. It uses the cfssl package to generate these. The generated values are stored in kubernetes secrets.
Example of a
QuarksSecret resource, which generates a Kubernetes secret containing a certificate:
The example can be applied to the namespace where the operator is watching for resources (
staging by default )
If a certificate is generated, the Quarks Secret operator ensures that a certificate signing request (CSR) is generated and is approved by the Kubernetes API server.
QuarksSecret resource example generates a Kubernetes Secret of kubernetes.io/tls type,
which contains keys named
tls.key that contain the certificate and private key to use for TLS.
It is primarily used with TLS termination of the k8s
Ingress resource or Istio Secure Gateways.
Due to its use cases, only local
signerType is supported.
The examples directory on Github.