Reputation: 53803
Automatically generated strings for secrets using yaml config
I have a deployment config for an app, that (among other things) creates a secret for a mysql database:
---
apiVersion: v1
kind: Secret
metadata:
name: mysql-secret
type: Opaque
data:
MYSQL_USER: my_user
MYSQL_PASSWORD: my_random_secret
MYSQL_DATABASE: my_db
MYSQL_ROOT_PASSWORD: my_random_secret
---
etc...
The deployment file is under source control, so I don't want to place the secrets there.
Does anyone know how I can tell Kubernetes to generate random strings for each variable which has my_random_secret as a value in my example? Preferably something that can be configured using the yaml file, without needing to invoke any extra commands.
Upvotes: 6
Views: 9471
Answers (3)
Reputation: 2351
If you are using Helm chart, you can do this:
apiVersion: v1
kind: Secret
metadata:
name: mysql-secret
type: Opaque
data:
MYSQL_USER: bXlfdXNlcgo=
MYSQL_PASSWORD: {{ randAlphaNum 16 | b64enc }}
MYSQL_DATABASE: bXlfZGIK
MYSQL_ROOT_PASSWORD: {{ randAlphaNum 16 | b64enc }}
Here,
echo "my_user" | base64=>bXlfdXNlcgo=&echo "my_db" | base64=>bXlfZGIK
Otherwise, we can have a similar kind of feature. Or, if you want to generate it from the bash/shell script we can have $(head /dev/urandom | LC_ALL=C tr -dc A-Za-z0-9 | head -c16 | base64) as a unique password generator on the shell.
Upvotes: 4
Reputation: 596
You can also use open ssl
openssl rand -base64 32
Or if you need plaintext/numbers:
openssl rand -base64 32 | tr -cd '[:alpha:]\n'
Or if you don't want the trailing CR:
openssl rand -base64 32 | tr -cd '[:alpha:]'
Note that anything longer than -base64 48 might add CRs to the output. Adjust your tr to taste, e.g.
openssl rand -base64 128 | tr -cd '[:alpha:]'
will concatenate the multiple lines from openssl, but omit a trailing \n as well
Upvotes: -2
Reputation: 13804
As far I have understood that you do not want to keep your secret information locally. So that you need to generate them when you are creating that secret.
I think there is a way to create Kubernetes resource using go-template. Didn't find enough information for that. I can't help you in this way.
But you can also create secret using script. And your secret will not be exposed.
Following script can help you in that case. This will generate random password for you and will create secret with that.
cat <<EOF | kubectl create -f -
apiVersion: v1
kind: Secret
metadata:
name: mysql-secret
type: Opaque
data:
MYSQL_PASSWORD: $(head -c 24 /dev/random | base64)
MYSQL_ROOT_PASSWORD: $(head -c 24 /dev/random | base64)
stringData:
MYSQL_USER: my_user
MYSQL_DATABASE: my_db
EOF
Run this script.
Hope it will work for you
Upvotes: 7
Related Questions
- How to set secret files to kubernetes secrets by yaml?
- How to specify yaml file to use secret as intended?
- pass default.yaml secret env's to deployment
- How to create a secret file in kubernetes
- generate dynamic secret name inside kubernetes deployment file
- Specify a secret in YML WITH a namespace
- generate dynamic runtime YAML for container with k8s secrets
- How to set secret data to kubernetes secrets by yaml?
- Kubernetes storing key-value pair in Secret.yml
- Is there a way to put Kubernetes secret value in args field of yaml file