CODEWITHSUNDEEP
kuberneteskubernetes-secretsconfiguration-managementkustomize
unitop
unitop

Reputation: 143

Kustomize: How to Reference Name of a Secret Generated by secretGenerator in Deployment When Hash Suffix is Added?

Problem Summary:

I am using Kustomize to generate a secret using secretGenerator, and I need to reference this secret in a Deployment. Kustomize is appending a unique hash suffix to the secret name, and I'm unable to reference the generated secret by name in my Deployment.

Previous Approach and Current Challenge:

In the past, I used vars to capture the metadata.name of the secret and place it where needed. Since vars have been deprecated, I now use replacements, but this approach does not include the necessary hash suffix. From what I've gathered, it seems replacements won't have this functionality either going forward. Disabling the hashing feels like a hack and not best practice. Using Name Reference Transformers seems more static and harder to maintain than the old vars solution.

Reproducible Structure:

A reproducible version of the problem has this struture

├── base
│   ├── application
│   │   ├── deployment.yml
│   │   └── kustomization.yml
│   └── secrets
│       ├── kustomization.yml
│       └── my-secret.env
├── components
│   └── replacements_component
│       └── kustomization.yml
└── overlay
    └── instance
        └── kustomization.yml

Code Snippets and Configuration:

base/application/deployment.yaml and base/application/kustomization.yaml looks like this:

kind: Deployment
apiVersion: apps/v1
metadata:
  name: test
spec:
  selector:
    matchLabels:
      app: test
  template:
    metadata:
      labels:
        app: test
    spec:
      containers:
        - name: test
          env:
            - name: test
              value: REPLACE
-----------------------------
resources:
- ./deployment.yml

The base/secrets/kustomization.yaml looks like this:

secretGenerator:
- name: my-secret
  env: my-secret.env

The components/replacements_component/kustomization.yml looks like this:

apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component

replacements:
  - source:
      kind: Secret
      name: my-secret
    targets:
      - select:
          kind: Deployment
          name: test
        fieldPaths:
          - spec.template.spec.containers.[name=test].env.[name=test].value

This is the overlay kustomization file:

namespace: test-deployment

resources:
  - ../../base/application/
  - ../../base/secrets/

components:
  - ../../components/replacements_component

Actual vs Desired Output:

When kustomize build is run, I get the following output:

apiVersion: v1
data: {}
kind: Secret
metadata:
  name: my-secret-46f8b28mk5
  namespace: test-deployment
type: Opaque
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test
  namespace: test-deployment
spec:
  selector:
    matchLabels:
      app: test
  template:
    metadata:
      labels:
        app: test
    spec:
      containers:
      - env:
        - name: test
          value: my-secret
        name: test

This is the desired output:

apiVersion: v1
data: {}
kind: Secret
metadata:
  name: my-secret-46f8b28mk5
  namespace: test-deployment
type: Opaque
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test
  namespace: test-deployment
spec:
  selector:
    matchLabels:
      app: test
  template:
    metadata:
      labels:
        app: test
    spec:
      containers:
      - env:
        - name: test
          value: my-secret-46f8b28mk5
        name: test

Questions and Help Needed:

How can I capture the generated secret name, including the hash suffix, and use it as a replacement in my Deployment? Is there a best practice for handling this scenario without resorting to disabling hashing or using more static solutions?

EDIT: As pointed out it is possible to use the 'valueFrom.secretKeyRef' and 'envFrom.secretRef' in the specific deployment. That would work here specifically but in other cases like this:

 volumes:
      - name: my-volume
        azureFile:
          secretName: temp-name
          shareName: temp-shareName

It is not possible to use the above mentioned references. Targeting the secret with replacements only gives the non-suffix name of the secret

Upvotes: 10

Views: 2424

Answers (1)

Mauro
Mauro

Reputation: 170

You will need to create a Custom Resource Transformation on thar particular case (e.g. the AzureFile). You can read more on how to achieve it here https://github.com/kubernetes-sigs/kustomize/blob/master/examples/transformerconfigs/crd/README.md

Anyway it seems the Azure File is deprecated https://kubernetes.io/docs/concepts/storage/volumes/#azurefile

Upvotes: 0

Related Questions