Kubernetes Secret Management
This guide will guide you through the steps to setup a pkhub pod that will create and update secrets
in your Kubernetes clusters based off Environments you create.
The pk cli can create Kubernetes Secrets from Environments
and each Environments can have any amount of embedded yaml Secret definitions.
You create an Environment “MySecretEnvs” with:
apiVersion: v1 kind: Secret metadata: name: mysecret1 namespace: default type: Opaque stringData: token: mysecrettoken --- apiVersion: v1 kind: Secret metadata: name: mysecret2 namespace: default type: Opaque stringData: pass: mysecretpass
and run the pk command:
pk k8s apply secret --safe mysafe --lbls mysecret
Two secrets each with the name “MySecret1” and “MySecret2” will be created.
1. Setup Application Keys
If you do not already have API keys, please follow the CLI Install Guide and create a new API key pair.
For the steps in this document we assume the namespace
kubectl create namespace pkhub
Then in create the secret
pkkeys that contains the
kubectl create secret generic pkkeys -n pkhub --from-literal=PK_KEY_SECRET=$PK_KEY_SECRET --from-literal=PK_KEY_ID=$PK_KEY_ID
If your Kubernetes cluster has RBAC enabled, apply the Service Account, Cluster Role and Cluster Role Binding in rbac.yml, or run:
kubectl apply -f https://raw.githubusercontent.com/pkhubio/pkcli/master/k8s/rbac.yml
You should see:
serviceaccount/pkhub-secrets created clusterrole.rbac.authorization.k8s.io/pkhub-secrets-role created clusterrolebinding.rbac.authorization.k8s.io/pkhub-secrets-role-binding created
3. Create a PKHub Secret Manager deployment
Now you can create a Deployment with a single Pod replica that will loop sleep and update any secrets that are in the environments you select for the secret management.
If you want to play around first and see how the pk cli command works and how secrets are created run:
kubectl -n pkhub run --generator=run-pod/v1 --serviceaccount=pkhub-secrets -i --tty pk-cli --image=pkhub/pk-cli -- sh
and when you’ve finished run:
kubectl -n pkhub delete pod pk-cli
Download and modify the deployment example secret-manager-example.
The important part is in the
args: - pk k8s apply secret --safe my-group-5 --lbls MySecrets --loop 1
where you can configure which environments are used to create secrets from.
pk k8s apply secret --safe my-group-5 --lbls MySecrets --loop 1
This command will download the environment
MySecrets from the safe
my-group-5 and create secrets based on the
content of the environment, which is expected to be one or more Kubernetes yaml definitions. Notice the
--loop 1 flag,
this tells the pk cli to sleep 1 minute and update the secrets again.
4. Updating secrets
Yaml formatting is always tricky, the env text area does some validation but simple things like
no space between “:” and its value are not caught, e.g
A:1 is not valid but
A: 1 is.
This is simple, you edit the environment and wait for the sercret manager to update the secrets, the time lapse depends on the value you supplied in the loop flag.
You must specify the
namespace for each Secret in its yaml definition. The secret manager will create the secret
in this namespace, but if your Kubernetes cluster has RBAC setup, you must create the RBAC roles and launch the
secret manager using the pkhub service account, this is all setup in the RBAC
yaml file and the secret-manager-example has the service account setup.