Distribute public key to all pods in all namespaces automatically

8/28/2018

I have a public key that all my pods needs to have.

My initial thought was to create a ConfigMap or Secret to hold it but as far as I can tell neither of those can be used across namespaces. Apart from that, it's really boiler plate to paste the same volume into all my Deployments

So now I'm left with only, in my opinion, bad alternatives such as creating the same ConfigMap/Secret in all Namespaces and do the copy-paste thing in deployments.

Any other alternatives?

Extra information after questions.

  • The key doesn't need to be kept secret, it's a public key, but it needs to be distributed in a trusted way.
  • It won't rotate often but when it happens all images can't be re-built.
  • Almost all images/pods needs this key and there will be hundreds of images/pods.
-- Andreas Wederbrand
kubernetes

2 Answers

8/28/2018

While I don't really like the idea, one of the ways to solve it could be an init container that populates a volume with key(s) you need and then these volumes can be mounted in your containers as you see fit. That way it becomes independent of how you namespace stuff and relies only on how pods are defined/created.

That said, the Kubed mentioned by Ryan above sounds like more reasonable approach to a case like this one, and last but not least, something creates your namespaces after all, so having the creation of required elements of a namespace inside the same process sounds legit as well.

-- Radek 'Goblin' Pieczonka
Source: StackOverflow

8/28/2018

You can use Kubernetes initializers to intercept object creation and mutate as you want. This can solve copy-paste in all your deployments and you can manage it from a central location.

https://medium.com/google-cloud/how-kubernetes-initializers-work-22f6586e1589

You will still need to create configmaps/secrets per namespace though.

-- turkenh
Source: StackOverflow