Tasks
Working with QuarksSecret
User Provided Secrets
To skip generation of secrets and provide custom values, create the secret first.
1
2
3
4
5
6
7
8
|
---
apiVersion: v1
kind: Secret
metadata:
name: gen-secret1
type: Opaque
stringData:
password: userdefinedpassword
|
Quarks Secret will skip existing secrets of the same name.
Generated secrets have the quarks.cloudfoundry.org/secret-kind=generated label.
Rotation Config
The generated secret values can be updated by creating a special ‘rotation config’ config map.
The configmap must have the label quarks.cloudfoundry.org/secret-rotation.
The rotation config specifies a list of QuarksSecret names:
1
2
3
4
5
6
7
8
9
|
---
apiVersion: v1
kind: ConfigMap
metadata:
name: rotate
labels:
quarks.cloudfoundry.org/secret-rotation: "true"
data:
secrets: '["generate-password"]'
|
After creation of the config map, the generated secrets of the listed QuarksSecrets will be updated. Updates to the rotation config are ignored, it has to be deleted and created again for another rotation run.
If a secret is missing the quarks.cloudfoundry.org/secret-kind=generated it will not be changed.
Copy Secrets Into Another Namespace
The Quarks Secret operator can also generate copies in multiple namespaces while generating secrets.
For example, while generating passwords:
1
2
3
4
5
6
7
8
9
10
11
|
---
apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
name: copy-user
spec:
type: password
secretName: gen-secret
copies:
- name: copied-secret
namespace: COPYNAMESPACE
|
A list of copying targets can be specified with the copies key:
1
2
3
|
copies:
- name: copied-secret
namespace: namespace1
|
As a safeguard against incidential updates, each indicated destination needs to have a QuarksSecret of the copy type in the following form:
1
2
3
4
5
6
7
8
9
10
11
12
13
|
---
apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
labels:
quarks.cloudfoundry.org/secret-kind: generated
annotations:
quarks.cloudfoundry.org/secret-copy-of: NAMESPACE/copy-user
name: copy-user
namespace: COPYNAMESPACE
spec:
type: copy
secretName: copied-secret
|
The example copies the generated gen-secret secret content into copied-secret inside the COPYNAMESPACE namespace.
Templated Config Secret Generation
This feature is particularly useful for projects which requires their configuration in a specific format and also which require their entire config to be specified in one secret.
For example,
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
name: generate-password-for-template
spec:
type: password
secretName: gen-secret-for-template
---
apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
name: templated-config-test
spec:
# Define the QuarksSecret type
type: templatedconfig
# The new secret name which will have the templated config
secretName: templated-secret
request:
templatedConfig:
# Define the templating type, in this case "helm" (it's also the only supported type as for now)
# Here, supplied values are available under .Values as usual
type: helm
templates:
# The result will be stored in a secret: secret.Data["foo"] = <value from referenced secret>
foo: "{{.Values.Bar}}"
# The values for our template in a key, value format.
values:
# The name of the variable
Bar:
# A reference to the secret
name: "gen-secret-for-template"
key: "password"
|
here we have a simple key value pair format of a configuration in the templates key. The values consists of the secret names from where the values needs to be fetched.
The above example when run, will create the following templated-secret configuration secret.
apiVersion: v1
kind: Secret
metadata:
name: templated-secret
type: Opaque
Data:
foo: GSA7Kndi4BzUQjL3cSHv0CRVsNWGBXgibzpzxKvZAHR2sdMLIBJ6jONBcmSCDHp8