secretgen-controller/docs/walkthrough.md at develop · devanshuVmware/secretgen-controller

Walkthrough

Goal of this walkthrough is to demonstrate how to use secretgen-controller to general some secret material in a Kubernetes cluster. We will use examples/passwords.yml directory as our YAML configuration.

You can use kubectl (or another tool) to deploy YAML examples below. We've chosen kapp.

Start by installing secretgen-controller onto cluster
Install examples/passwords.yml. It tells secretgen-controller to generate three passwords.

$ kapp deploy -a passwords -f https://raw.githubusercontent.com/carvel-dev/secretgen-controller/develop/examples/passwords.yml
# or... kubectl apply -f https://raw.githubusercontent.com/carvel-dev/secretgen-controller/develop/examples/passwords.yml

Target cluster 'https://x.x.x.x' (nodes: gke-dk-jan-9-default-pool-a218b1c9-55sl, 3+)

Changes

Namespace  Name                 Kind      Conds.  Age  Op      Wait to    Rs  Ri
default    long-user-password   Password  -       -    create  reconcile  -   -
^          postgresql-password  Password  -       -    create  reconcile  -   -
^          user-password        Password  -       -    create  reconcile  -   -

Rs: Reconcile state
Ri: Reconcile information

Op:      3 create, 0 delete, 0 update, 0 noop
Wait to: 3 reconcile, 0 delete, 0 noop

Continue? [yN]: y

4:03:53PM: ---- applying 3 changes [0/3 done] ----
4:03:53PM: create password/user-password (secretgen.k14s.io/v1alpha1) namespace: default
4:03:53PM: create password/long-user-password (secretgen.k14s.io/v1alpha1) namespace: default
4:03:53PM: create password/postgresql-password (secretgen.k14s.io/v1alpha1) namespace: default
4:03:53PM: ---- waiting on 3 changes [0/3 done] ----
4:03:54PM: ok: reconcile password/user-password (secretgen.k14s.io/v1alpha1) namespace: default
4:03:54PM:  L ok: waiting on secret/user-password (v1) namespace: default
4:03:54PM: ok: reconcile password/long-user-password (secretgen.k14s.io/v1alpha1) namespace: default
4:03:54PM:  L ok: waiting on secret/long-user-password (v1) namespace: default
4:03:55PM: ok: reconcile password/postgresql-password (secretgen.k14s.io/v1alpha1) namespace: default
4:03:55PM:  L ok: waiting on secret/postgresql-password (v1) namespace: default
4:03:55PM: ---- applying complete [3/3 done] ----
4:03:55PM: ---- waiting complete [3/3 done] ----

Succeeded

Make sure that associated Secret resources were created. There should be three resources user-password, long-user-password, and postgresql-password -- named the same as their Password custom resources.

$ kapp inspect -a passwords --tree
Target cluster 'https://x.x.x.x' (nodes: gke-dk-jan-9-default-pool-a218b1c9-55sl, 3+)

Resources in app 'passwords'

Namespace  Name                    Kind      Owner    Conds.  Rs  Ri  Age
default    postgresql-password     Password  kapp     1/1 t   ok  -   25s
default     L postgresql-password  Secret    cluster  -       ok  -   25s
default    user-password           Password  kapp     1/1 t   ok  -   25s
default     L user-password        Secret    cluster  -       ok  -   25s
default    long-user-password      Password  kapp     1/1 t   ok  -   25s
default     L long-user-password   Secret    cluster  -       ok  -   25s

Rs: Reconcile state
Ri: Reconcile information

6 resources

Succeeded

Here is another way to look at them. Note that postgresql-password secret is of type Opaque. It will have a different data KVs compared to long-user-password and user-password.

$ kubectl get secret
NAME                  TYPE                                  DATA   AGE
long-user-password    kubernetes.io/basic-auth              1      2m8s
postgresql-password   Opaque                                1      2m8s
user-password         kubernetes.io/basic-auth              1      2m8s

Let's see what is generated within kubernetes.io/basic-auth type secrets. Two Password custom resources were configured to generate passwords of different lengths via their spec.length field.

$ kubectl get secret user-password -o jsonpath='{.data.password}' | base64 -D
lek1rd83fi8nquh56fpy9ojit547thr7ast746g9

$ kubectl get secret long-user-password -o jsonpath='{.data.password}' | base64 -D
5enadb1fzztqcchb26n4oz1lmwnrvslounj81mkj9fh3b99aqu0w4scwsaa9rb4bkaaag33mef21vq3zohxz72byd4dkele7v3w5i3gw3l5w7wa68e5pqbkopu7s

postgresql-password secret was configured to have a different data KVs by specifying spec.secretTemplate.

$ kubectl get secret postgresql-password -o jsonpath='{.data.postgresql-password}' | base64 -D
46788fn7ft5grfdptcxts0qxlqbqp5jua9umrp59

After looking around, we can delete all resources. Secrets generated by the controller are owned by individual Password resources, and hence will be deleted when their owning Password resource is deleted. To retain Secrets you can clear out their metadata.ownerReferences[*].

$ kapp delete -a passwords
Target cluster 'https://x.x.x.x' (nodes: gke-dk-jan-9-default-pool-a218b1c9-55sl, 3+)

Changes

Namespace  Name                 Kind      Conds.  Age  Op      Wait to  Rs  Ri
default    long-user-password   Password  1/1 t   7m   delete  delete   ok  -
^          long-user-password   Secret    -       7m   -       delete   ok  -
^          postgresql-password  Password  1/1 t   7m   delete  delete   ok  -
^          postgresql-password  Secret    -       7m   -       delete   ok  -
^          user-password        Password  1/1 t   7m   delete  delete   ok  -
^          user-password        Secret    -       7m   -       delete   ok  -

Rs: Reconcile state
Ri: Reconcile information

Op:      0 create, 3 delete, 0 update, 3 noop
Wait to: 0 reconcile, 6 delete, 0 noop

Continue? [yN]: y

4:11:21PM: ---- applying 6 changes [0/6 done] ----
4:11:21PM: delete password/postgresql-password (secretgen.k14s.io/v1alpha1) namespace: default
4:11:21PM: delete password/user-password (secretgen.k14s.io/v1alpha1) namespace: default
4:11:21PM: noop secret/long-user-password (v1) namespace: default
4:11:21PM: noop secret/postgresql-password (v1) namespace: default
4:11:21PM: noop secret/user-password (v1) namespace: default
4:11:21PM: delete password/long-user-password (secretgen.k14s.io/v1alpha1) namespace: default
4:11:21PM: ---- waiting on 6 changes [0/6 done] ----
4:11:21PM: ok: delete password/postgresql-password (secretgen.k14s.io/v1alpha1) namespace: default
4:11:22PM: ok: delete password/user-password (secretgen.k14s.io/v1alpha1) namespace: default
4:11:22PM: ok: delete secret/long-user-password (v1) namespace: default
4:11:22PM: ok: delete secret/postgresql-password (v1) namespace: default
4:11:22PM: ok: delete secret/user-password (v1) namespace: default
4:11:22PM: ok: delete password/long-user-password (secretgen.k14s.io/v1alpha1) namespace: default
4:11:22PM: ---- applying complete [6/6 done] ----
4:11:22PM: ---- waiting complete [6/6 done] ----

Succeeded

Refer to Docs TOC for details

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Walkthrough

FilesExpand file tree

walkthrough.md

Latest commit

History

walkthrough.md

File metadata and controls

Walkthrough