Tasks

Working with QuarksSecret

User Provided Secrets

To skip generation of secrets and provide custom values, create the secret first.

1
2
3
4
5
6
7
8
---
apiVersion: v1
kind: Secret
metadata:
  name: gen-secret1
type: Opaque
stringData:
  password: userdefinedpassword
Complete source code: https://github.com/cloudfoundry-incubator/quarks-secret/blob/master/docs/examples/user-provided-secret.yaml

Quarks Secret will skip existing secrets of the same name. Generated secrets have the quarks.cloudfoundry.org/secret-kind=generated label.

Rotation Config

The generated secret values can be updated by creating a special ‘rotation config’ config map. The configmap must have the label quarks.cloudfoundry.org/secret-rotation.

The rotation config specifies a list of QuarksSecret names:

1
2
3
4
5
6
7
8
9
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: rotate
  labels:
    quarks.cloudfoundry.org/secret-rotation: "true"
data:
  secrets: '["generate-password"]'
Complete source code: https://github.com/cloudfoundry-incubator/quarks-secret/blob/master/docs/examples/rotate.yaml

After creation of the config map, the generated secrets of the listed QuarksSecrets will be updated. Updates to the rotation config are ignored, it has to be deleted and created again for another rotation run.

If a secret is missing the quarks.cloudfoundry.org/secret-kind=generated it will not be changed.

Copy Secrets Into Another Namespace

The Quarks Secret operator can also generate copies in multiple namespaces while generating secrets.

For example, while generating passwords:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
---
apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
  name: copy-user
spec:
  type: password
  secretName: gen-secret
  copies:
  - name: copied-secret
    namespace: COPYNAMESPACE
Complete source code: https://github.com/cloudfoundry-incubator/quarks-secret/blob/master/docs/examples/copy.yaml

A list of copying targets can be specified with the copies key:

1
2
3
  copies:
  - name: copied-secret
    namespace: namespace1

As a safeguard against incidential updates, each indicated destination needs to have a QuarksSecret of the copy type in the following form:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
---
apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
  labels:
    quarks.cloudfoundry.org/secret-kind: generated
  annotations:
    quarks.cloudfoundry.org/secret-copy-of: NAMESPACE/copy-user
  name: copy-user
  namespace: COPYNAMESPACE
spec:
  type: copy
  secretName: copied-secret
Complete source code: https://github.com/cloudfoundry-incubator/quarks-secret/blob/master/docs/examples/copy-qsecret-destination.yaml

The example copies the generated gen-secret secret content into copied-secret inside the COPYNAMESPACE namespace.

Templated Config Secret Generation

This feature is particularly useful for projects which requires their configuration in a specific format and also which require their entire config to be specified in one secret.

For example,

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
  name: generate-password-for-template
spec:
  type: password
  secretName: gen-secret-for-template
---
apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
  name: templated-config-test
spec:
  # Define the QuarksSecret type
  type: templatedconfig
  # The new secret name which will have the templated config
  secretName: templated-secret
  request:
    templatedConfig:
      # Define the templating type, in this case "helm" (it's also the only supported type as for now)
      # Here, supplied values are available under .Values as usual
      type: helm
      templates:
        # The result will be stored in a secret: secret.Data["foo"] = <value from referenced secret>
        foo: "{{.Values.Bar}}"
      # The values for our template in a key, value format.
      values:
        # The name of the variable
        Bar:
          # A reference to the secret
          name: "gen-secret-for-template"
          key: "password"
Complete source code: https://github.com/cloudfoundry-incubator/quarks-secret/blob/master/docs/examples/templated-config.yaml

here we have a simple key value pair format of a configuration in the templates key. The values consists of the secret names from where the values needs to be fetched.

The above example when run, will create the following templated-secret configuration secret.

apiVersion: v1
kind: Secret
metadata:
  name: templated-secret
type: Opaque
Data:
  foo: GSA7Kndi4BzUQjL3cSHv0CRVsNWGBXgibzpzxKvZAHR2sdMLIBJ6jONBcmSCDHp8