K
Q

Create or edit Kubernetes secret from a job

11/21/2019

I am trying to generate a Kubernetes secret from a Kubernetes job. The secret is a TLS certificate, for elasticsearch transport, I tried this job:

apiVersion: batch/v1
kind: Job
metadata:
  name: conso-security-tls-gen-certs
spec:
  template:
    spec:
      containers:
      - name: generator
        volumeMounts:
          - name: certs
            mountPath: "/certs"
        image: "docker.elastic.co/elasticsearch/elasticsearch:7.4.2"
        command: ["/bin/sh", "-c"]
        args:
        - "bin/elasticsearch-certutil ca (...) --silent -out /certs/bundle.p12"
      restartPolicy: Never
      volumes:
      - name: certs
        secret:
          secretName: conso-security-tls-certs
  backoffLimit: 4

But as https://github.com/kubernetes/kubernetes/issues/62099 said, the volume /certs is ReadOnly. Is there a way to create/edit this secret like this?

-- Thomas Decaux
kubernetes
kubernetes-jobs
kubernetes-secrets

Similar Questions

Docker container (Kubernetes): Mysql user access denied
GKE MasterAuth clientCertificate has no permissions to access cluster resource
Correctly override "settings.xml" in Jenkinsfile Maven build on kubernetes?
google kubernetes engine binary authorization - remote attestation?

1 Answer

11/21/2019

Volumes from secrets are gone once the container/pod is gone. Also, updating files in volumes created from a Secret will not update the Secret itself.

It seems that what the goal is from the Job to generate a cert and create or update a Secret object with that cert? If that is the case I'd suggest looking into using the Kubernetes API or kubectl to manipulate Secrets from within the running container. You'd need to set up and use a Service Account that has permission to work with Secrets in the given namespace.

-- apisim
Source: StackOverflow