Tasks

Working with QuarksSecret

User Provided Secrets

To skip generation of secrets and provide custom values, create the secret first.

1
2
3
4
5
6
7
8
---
apiVersion: v1
kind: Secret
metadata:
  name: gen-secret1
type: Opaque
stringData:
  password: userdefinedpassword
Complete source code: https://github.com/cloudfoundry-incubator/quarks-secret/blob/master/docs/examples/user-provided-secret.yaml

Quarks Secret will skip existing secrets of the same name. Generated secrets have the quarks.cloudfoundry.org/secret-kind=generated label.

Rotation Config

The generated secret values can be updated by creating a special ‘rotation config’ config map. The configmap must have the label quarks.cloudfoundry.org/secret-rotation.

The rotation config specifies a list of QuarksSecret names:

1
2
3
4
5
6
7
8
9
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: rotate
  labels:
    quarks.cloudfoundry.org/secret-rotation: "true"
data:
  secrets: '["generate-password"]'
Complete source code: https://github.com/cloudfoundry-incubator/quarks-secret/blob/master/docs/examples/rotate.yaml

After creation of the config map, the generated secrets of the listed QuarksSecrets will be updated. Updates to the rotation config are ignored, it has to be deleted and created again for another rotation run.

If a secret is missing the quarks.cloudfoundry.org/secret-kind=generated it will not be changed.

Copy Secrets Into Another Namespace

The Quarks Secret operator can also generate copies in multiple namespaces while generating secrets.

For example, while generating passwords:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
---
apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
  name: copy-user
spec:
  type: password
  secretName: gen-secret
  copies:
  - name: copied-secret
    namespace: COPYNAMESPACE
Complete source code: https://github.com/cloudfoundry-incubator/quarks-secret/blob/master/docs/examples/copy.yaml

A list of copying targets can be specified with the copies key:

1
2
3
  copies:
  - name: copied-secret
    namespace: namespace1

As a safeguard against incidential updates, each indicated destination needs to have a QuarksSecret of the copy type in the following form:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
---
apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
  labels:
    quarks.cloudfoundry.org/secret-kind: generated
  annotations:
    quarks.cloudfoundry.org/secret-copy-of: NAMESPACE/copy-user
  name: copy-user
  namespace: COPYNAMESPACE
spec:
  type: copy
  secretName: copied-secret
Complete source code: https://github.com/cloudfoundry-incubator/quarks-secret/blob/master/docs/examples/copy-qsecret-destination.yaml

The example copies the generated gen-secret secret content into copied-secret inside the COPYNAMESPACE namespace.