terraform-kubernetes-provider how to create secret from file?

3/25/2019

I'm using the terraform kubernetes-provider and I'd like to translate something like this kubectl command into TF:

kubectl create secret generic my-secret --from-file mysecret.json

It seems, however the secret resource's data field expects only a TF map.

I've tried something like

data "template_file" "my-secret" {
  template = "${file("${path.module}/my-secret.json")}"
}

resource "kubernetes_secret" "sgw-config" {
   metadata {
     name = "my-secret"
   }
   type = "Opaque"
   data = "{data.template_file.my-secret.template}"
}

But it complains that this is not a map. So, I can do something like this:

   data = {
      "my-secret.json" = "{data.template_file.my-secret.template}"
   }

But this will write the secret with a top-level field named my-secret.json and when I volume mount it, it won't work with other resources.

What is the trick here?

-- Davis Ford
kubernetes
terraform
terraform-template-file

3 Answers

11/19/2019

as long the file is UTF-8 encoded you can use something like this

resource "kubernetes_secret" "some-secret" {

      metadata {
        name      = "some-secret"
        namespace = kubernetes_namespace.some-ns.metadata.0.name
        labels = {
          "sensitive" = "true"
          "app"       = "my-app"
        }
      }
      data = {
        "file.txt" = file("${path.cwd}/your/relative/path/to/file.txt")
      }
    }

If the file is a binary one you will have an error like

Call to function "file" failed: contents of /your/relative/path/to/file.txt are not valid UTF-8; use the filebase64 function to obtain the Base64 encoded contents or the other file functions (e.g. filemd5, filesha256) to obtain file hashing results instead.

I tried encoding the file in base64 but then the problem is that the resulting text will be re-encoded in base64 by the provider. So I guess there is no solution for binary files at the moment... I'll edit with what I find next for binaries.

-- Francesco Gualazzi
Source: StackOverflow

3/25/2019

It seems if you run the command kubectl create secret generic my-secret --from-file mysecret.json

and then

$ kubectl get secrets my-secret -o yaml
apiVersion: v1
data:
  my-secret.json: ewogICA.....
kind: Secret
metadata:
  creationTimestamp: "2019-03-25T18:20:43Z"
  name: my-secret
  namespace: default
  resourceVersion: "67026"
  selfLink: /api/v1/namespaces/default/secrets/my-secret
  uid: b397a29c-4f2a-11e9-9806-000c290425d0
type: Opaque

it stores it similarly with the filename as the single key. When I mount this in a volume/volumeMount it works as expected. I was afraid that it wouldn't but when I create the secret using the --from-file argument, this is exactly how it stores it.

-- Davis Ford
Source: StackOverflow

3/25/2019

Basically you need to provide a map like this :

resource "kubernetes_secret" "sgw-config" {
   metadata {
     name = "my-secret"
   }
   type = "Opaque"
   data {
           "key1" = "value1"
           "key2" = "value2"
  }
}

you can refer to your internal variables using

resource "kubernetes_secret" "sgw-config" {
       metadata {
         name = "my-secret"
       }
       type = "Opaque"
       data {
               "USERNAME" = "${var.some_variable}"
               "PASSWORD" = "${random_string.root_password.result}"
      }
    }
--
Source: StackOverflow