|
|
@@ -73,7 +73,7 @@
|
|
|
<div data-md-component="skip">
|
|
|
|
|
|
|
|
|
- <a href="#a-few-common-k8s-secret-types-examples" class="md-skip">
|
|
|
+ <a href="#macro-syntax-error" class="md-skip">
|
|
|
Skip to content
|
|
|
</a>
|
|
|
|
|
|
@@ -1111,62 +1111,10 @@
|
|
|
|
|
|
|
|
|
|
|
|
- <label class="md-nav__link md-nav__link--active" for="__toc">
|
|
|
- Kubernetes Secret Types
|
|
|
- <span class="md-nav__icon md-icon"></span>
|
|
|
- </label>
|
|
|
-
|
|
|
<a href="./" class="md-nav__link md-nav__link--active">
|
|
|
Kubernetes Secret Types
|
|
|
</a>
|
|
|
|
|
|
-
|
|
|
-
|
|
|
-<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
- <label class="md-nav__title" for="__toc">
|
|
|
- <span class="md-nav__icon md-icon"></span>
|
|
|
- Table of contents
|
|
|
- </label>
|
|
|
- <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#dockerconfigjson-example" class="md-nav__link">
|
|
|
- Dockerconfigjson example
|
|
|
- </a>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#tls-cert-example" class="md-nav__link">
|
|
|
- TLS Cert example
|
|
|
- </a>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#ssh-auth-example" class="md-nav__link">
|
|
|
- SSH Auth example
|
|
|
- </a>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#more-examples" class="md-nav__link">
|
|
|
- More examples
|
|
|
- </a>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- </ul>
|
|
|
-
|
|
|
-</nav>
|
|
|
-
|
|
|
</li>
|
|
|
|
|
|
|
|
|
@@ -2152,42 +2100,6 @@
|
|
|
|
|
|
|
|
|
|
|
|
- <label class="md-nav__title" for="__toc">
|
|
|
- <span class="md-nav__icon md-icon"></span>
|
|
|
- Table of contents
|
|
|
- </label>
|
|
|
- <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#dockerconfigjson-example" class="md-nav__link">
|
|
|
- Dockerconfigjson example
|
|
|
- </a>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#tls-cert-example" class="md-nav__link">
|
|
|
- TLS Cert example
|
|
|
- </a>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#ssh-auth-example" class="md-nav__link">
|
|
|
- SSH Auth example
|
|
|
- </a>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#more-examples" class="md-nav__link">
|
|
|
- More examples
|
|
|
- </a>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- </ul>
|
|
|
-
|
|
|
</nav>
|
|
|
</div>
|
|
|
</div>
|
|
|
@@ -2204,133 +2116,10 @@
|
|
|
|
|
|
|
|
|
|
|
|
-<h1 id="a-few-common-k8s-secret-types-examples">A few common k8s secret types examples</h1>
|
|
|
-<p>Here we will give some examples of how to work with a few common k8s secret types. We will give this examples here with the gcp provider (should work with other providers in the same way). Please also check the guides on <a href="../templating/">Advanced Templating</a> to understand the details.</p>
|
|
|
-<p>Please follow the authentication and SecretStore steps of the <a href="../../provider/google-secrets-manager/">Google Cloud Secrets Manager guide</a> to setup access to your google cloud account first.</p>
|
|
|
-<h2 id="dockerconfigjson-example">Dockerconfigjson example</h2>
|
|
|
-<p>First create a secret in Google Cloud Secrets Manager containing your docker config:</p>
|
|
|
-<p><img alt="iam" src="../../pictures/screenshot_docker_config_json_example.png" /></p>
|
|
|
-<p>Let's call this secret docker-config-example on Google Cloud.</p>
|
|
|
-<p>Then create a ExternalSecret resource taking advantage of templating to populate the generated secret:</p>
|
|
|
-<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
|
|
|
-<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
|
|
|
-<span class="nt">metadata</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">dk-cfg-example</span>
|
|
|
-<span class="nt">spec</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1h</span>
|
|
|
-<span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example</span>
|
|
|
-<span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
|
|
|
-<span class="w"> </span><span class="nt">target</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">template</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubernetes.io/dockerconfigjson</span>
|
|
|
-<span class="w"> </span><span class="nt">data</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">.dockerconfigjson</span><span class="p">:</span><span class="w"> </span><span class="s">"{{</span><span class="nv"> </span><span class="s">.mysecret</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">toString</span><span class="nv"> </span><span class="s">}}"</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret-to-be-created</span>
|
|
|
-<span class="w"> </span><span class="nt">creationPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Owner</span>
|
|
|
-<span class="w"> </span><span class="nt">data</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mysecret</span>
|
|
|
-<span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">docker-config-example</span>
|
|
|
-</code></pre></div>
|
|
|
-<p>For Helm users: since Helm interprets the template above, the ExternalSecret resource can be written this way:</p>
|
|
|
-<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
|
|
|
-<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
|
|
|
-<span class="nt">metadata</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">dk-cfg-example</span>
|
|
|
-<span class="nt">spec</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1h</span>
|
|
|
-<span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example</span>
|
|
|
-<span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
|
|
|
-<span class="w"> </span><span class="nt">target</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">template</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubernetes.io/dockerconfigjson</span>
|
|
|
-<span class="w"> </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v2</span>
|
|
|
-<span class="w"> </span><span class="nt">data</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">.dockerconfigjson</span><span class="p">:</span><span class="w"> </span><span class="s">"{{</span><span class="nv"> </span><span class="s">`{{</span><span class="nv"> </span><span class="s">.mysecret</span><span class="nv"> </span><span class="s">}}`</span><span class="nv"> </span><span class="s">}}"</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret-to-be-created</span>
|
|
|
-<span class="w"> </span><span class="nt">creationPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Owner</span>
|
|
|
-<span class="w"> </span><span class="nt">data</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mysecret</span>
|
|
|
-<span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">docker-config-example</span>
|
|
|
-</code></pre></div>
|
|
|
-<p>For more information, please see <a href="https://github.com/helm/helm/issues/2798">this issue</a></p>
|
|
|
-<p>This will generate a valid dockerconfigjson secret for you to use!</p>
|
|
|
-<p>You can get the final value with:</p>
|
|
|
-<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w"> </span>secret-to-be-created<span class="w"> </span>-n<span class="w"> </span><namespace><span class="w"> </span>-o<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s2">"{.data\.dockerconfigjson}"</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>base64<span class="w"> </span>-d
|
|
|
-</code></pre></div>
|
|
|
-<h2 id="tls-cert-example">TLS Cert example</h2>
|
|
|
-<p>We are assuming here that you already have valid certificates, maybe generated with letsencrypt or any other CA. So to simplify you can use openssl to generate a single secret pkcs12 cert based on your cert.pem and privkey.pen files.</p>
|
|
|
-<div class="highlight"><pre><span></span><code>openssl<span class="w"> </span>pkcs12<span class="w"> </span>-export<span class="w"> </span>-out<span class="w"> </span>certificate.p12<span class="w"> </span>-inkey<span class="w"> </span>privkey.pem<span class="w"> </span>-in<span class="w"> </span>cert.pem
|
|
|
-</code></pre></div>
|
|
|
-<p>With a certificate.p12 you can upload it to Google Cloud Secrets Manager:</p>
|
|
|
-<p><img alt="p12" src="../../pictures/screenshot_ssl_certificate_p12_example.png" /></p>
|
|
|
-<p>And now you can create an ExternalSecret that gets it. You will end up with a k8s secret of type tls with pem values.</p>
|
|
|
-<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
|
|
|
-<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
|
|
|
-<span class="nt">metadata</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">template-tls-example</span>
|
|
|
-<span class="nt">spec</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1h</span>
|
|
|
-<span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example</span>
|
|
|
-<span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
|
|
|
-<span class="w"> </span><span class="nt">target</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret-to-be-created</span>
|
|
|
-<span class="w"> </span><span class="c1"># this is how the Kind=Secret will look like</span>
|
|
|
-<span class="w"> </span><span class="nt">template</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubernetes.io/tls</span>
|
|
|
-<span class="w"> </span><span class="nt">data</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">tls.crt</span><span class="p">:</span><span class="w"> </span><span class="s">"{{</span><span class="nv"> </span><span class="s">.mysecret</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">pkcs12cert</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">pemCertificate</span><span class="nv"> </span><span class="s">}}"</span>
|
|
|
-<span class="w"> </span><span class="nt">tls.key</span><span class="p">:</span><span class="w"> </span><span class="s">"{{</span><span class="nv"> </span><span class="s">.mysecret</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">pkcs12key</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">pemPrivateKey</span><span class="nv"> </span><span class="s">}}"</span>
|
|
|
-
|
|
|
-<span class="w"> </span><span class="nt">data</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="c1"># this is a pkcs12 archive that contains</span>
|
|
|
-<span class="w"> </span><span class="c1"># a cert and a private key</span>
|
|
|
-<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mysecret</span>
|
|
|
-<span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ssl-certificate-p12-example</span>
|
|
|
-</code></pre></div>
|
|
|
-<p>You can get their values with:</p>
|
|
|
-<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w"> </span>secret-to-be-created<span class="w"> </span>-n<span class="w"> </span><namespace><span class="w"> </span>-o<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s2">"{.data.tls\.crt}"</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>base64<span class="w"> </span>-d
|
|
|
-kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w"> </span>secret-to-be-created<span class="w"> </span>-n<span class="w"> </span><namespace><span class="w"> </span>-o<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s2">"{.data.tls\.key}"</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>base64<span class="w"> </span>-d
|
|
|
-</code></pre></div>
|
|
|
-<h2 id="ssh-auth-example">SSH Auth example</h2>
|
|
|
-<p>Add the ssh privkey to a new Google Cloud Secrets Manager secret:</p>
|
|
|
-<p><img alt="ssh" src="../../pictures/screenshot_ssh_privkey_example.png" /></p>
|
|
|
-<p>And now you can create an ExternalSecret that gets it. You will end up with a k8s secret of type ssh-auth with the privatekey value.</p>
|
|
|
-<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
|
|
|
-<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
|
|
|
-<span class="nt">metadata</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ssh-auth-example</span>
|
|
|
-<span class="nt">spec</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1h</span>
|
|
|
-<span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example</span>
|
|
|
-<span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
|
|
|
-<span class="w"> </span><span class="nt">target</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret-to-be-created</span>
|
|
|
-<span class="w"> </span><span class="nt">template</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubernetes.io/ssh-auth</span>
|
|
|
-<span class="w"> </span><span class="nt">data</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">ssh-privatekey</span><span class="p">:</span><span class="w"> </span><span class="s">"{{</span><span class="nv"> </span><span class="s">.mysecret</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">toString</span><span class="nv"> </span><span class="s">}}"</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret-to-be-created</span>
|
|
|
-<span class="w"> </span><span class="nt">creationPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Owner</span>
|
|
|
-<span class="w"> </span><span class="nt">data</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mysecret</span>
|
|
|
-<span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ssh-priv-key-example</span>
|
|
|
-</code></pre></div>
|
|
|
-<p>You can get the privkey value with:</p>
|
|
|
-<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w"> </span>secret-to-be-created<span class="w"> </span>-n<span class="w"> </span><namespace><span class="w"> </span>-o<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s2">"{.data.ssh-privatekey}"</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>base64<span class="w"> </span>-d
|
|
|
-</code></pre></div>
|
|
|
-<h2 id="more-examples">More examples</h2>
|
|
|
-<div class="admonition note">
|
|
|
-<p class="admonition-title">We need more examples here</p>
|
|
|
-<p>Feel free to contribute with our docs and add more examples here!</p>
|
|
|
-</div>
|
|
|
+<h1 id="macro-syntax-error"><em>Macro Syntax Error</em></h1>
|
|
|
+<p><em>Line 54 in Markdown file:</em> <strong>unexpected '.'</strong>
|
|
|
+<div class="highlight"><pre><span></span><code> <span class="o">.</span><span class="n">dockerconfigjson</span><span class="p">:</span> <span class="s1">'{"auths":{"{{ .registryName | lower }}.{{ .registryHost }}":{"username":"{{ .registryName }}","password":"{{ .password }}",</span>
|
|
|
+</code></pre></div></p>
|
|
|
|
|
|
|
|
|
|
moolen