Quarks Secret

Generates Kubernetes secrets, for passwords, SSH keys and SSL certificates from within the cluster.

Backlog: Pivotal Tracker
Slack: #quarks-dev on https://slack.cloudfoundry.org
Docker: https://hub.docker.com/r/cfcontainerization/quarks-secret/tags
Helm hub
Github

Description

Quarks Secret lets you automatically generate secrets such as passwords, certificates and ssh keys, to ease management of credentials in Kubernetes.

Installation

Add the quarks repository to helm if you haven’t already:

1

helm repo add quarks https://cloudfoundry-incubator.github.io/quarks-helm/

The simplest way to install the latest release of Quarks Secret, is by using helm 3 with the default values:

1
2


kubectl create namespace quarks
helm install qsecret quarks/quarks-secret --namespace quarks

The operator will watch for QuarksSecret resources in a separate namespace from the one it has been deployed to. By default, it creates a namespace staging and starts watching it.

A complete list of the chart settings is available here.

Upgrade

Can be managed as a standard helm package:

1

helm upgrade --namespace quarks qsecret quarks/quarks-secret

so just be sure to keep your customization in a values file

Watching multiple namespaces

By default the component will watch for resources created in the staging namespace, but it can be configured to watch over multiple namespaces.

Refer to the quarks-operator instructions as they are shared between all the Quarks components.

Overview of Quarks Secret

A QuarkSecret is a Kubernetes Object that contains instuctions on the type of Kubernetes Secret that must be generated which can be later referenced in a Pod.

For instance, to generate a basic auth password, we can apply the following yaml with kubectl:

1
2
3
4
5
6
7


apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
  name: generate-password
spec:
  type: password
  secretName: gen-secret1

Complete source code: https://github.com/cloudfoundry-incubator/quarks-secret/blob/master/docs/examples/password.yaml

the type field denotes the type of secret that should be generated, currently quarks-secret supports the following types:

password
certificate
tls
ssh
rsa
basic-auth
dockerconfigjson
copy
templatedconfig

Generate credentials

Quarks Secret can be used to generate passwords, certificates and keys. It uses the cfssl package to generate these. The generated values are stored in kubernetes secrets.

Certificates

Example of a QuarksSecret resource, which generates a Kubernetes secret containing a certificate:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16


---
apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
  name: generate-certificate
spec:
  request:
    certificate:
      alternativeNames:
        - foo.com
        - '*.foo.com'
      commonName: routerSSL
      isCA: false
      signerType: cluster
  secretName: gen-certificate
  type: certificate

Complete source code: https://github.com/cloudfoundry-incubator/quarks-secret/blob/master/docs/examples/certificate.yaml

The example can be applied to the namespace where the operator is watching for resources ( staging by default )

If a certificate is generated, the Quarks Secret operator ensures that a certificate signing request (CSR) is generated and is approved by the Kubernetes API server.

k8s TLS

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19


apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
  name: example.quarks.tls
spec:
  request:
    certificate:
      CAKeyRef:
        key: private_key
        name: example.secret.ca
      CARef:
        key: certificate
        name: example.secret.ca
      alternativeNames: null
      commonName: kubeTlsTypeCert
      isCA: false
      signerType: local
  secretName: example.secret.tls
  type: tls

Complete source code: https://github.com/cloudfoundry-incubator/quarks-secret/blob/master/docs/examples/tls.yaml

This QuarksSecret resource example generates a Kubernetes Secret of kubernetes.io/tls type, which contains keys named tls.crt and tls.key that contain the certificate and private key to use for TLS. It is primarily used with TLS termination of the k8s Ingress resource or Istio Secure Gateways. Due to its use cases, only local signerType is supported.

RSA keys

1
2
3
4
5
6
7


apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
  name: generate-rsa-keys-example
spec:
  secretName: rsa-keys-1
  type: rsa

Complete source code: https://github.com/cloudfoundry-incubator/quarks-secret/blob/master/docs/examples/rsa.yaml

Basic Authentication

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
  name: generate-basic-auth-1
spec:
  type: basic-auth
  secretName: gen-secret-basic-with-user
  request:
    basic-auth:
      username: my-user
---
apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
  name: generate-basic-auth-2
spec:
  type: basic-auth
  secretName: gen-secret-basic

Complete source code: https://github.com/cloudfoundry-incubator/quarks-secret/blob/master/docs/examples/basic-auth.yml

Examples

The examples directory on Github.

Last modified May 25, 2021: Fix code display in release docs (2bc24a5)