For now, I deploy my application pods using static files and one of them is app-secrets.yaml with all secrets to deploy an application
---
apiVersion: v1
kind: Secret
metadata:
name: app-secrets
type: Opaque
data:
root: xxxxxx
user1: xxxxxx
user2: xxxxxxbut this is not neither secure nor convenient (if I need another app instance, I have to create another file with human-generated password).
I'm looking to generate random passwords at application creation but I don't know if it's possible. I've already looked to the topic secret and especially secretGenerator but this is not directly what I want as I understand it, because it does not create a random string but a random secret name like secret/app-secrets-ssdsdfmfh4k but I have to provide still the passwords.
You may want to use kubernetes-secret-generator. I've tested it and it's doing exactly what you need.
To accomplish it you have to have helm in your cluster and follow these instructions:
Clone repository
$ git clone https://github.com/mittwald/kubernetes-secret-generatorCreate helm deployment
$ helm upgrade --install secret-generator ./deploy/chartNow you to use it, you just have to
Add annotation
secret-generator.v1.mittwald.de/autogenerateto any Kubernetes secret object .The value of the annotation can be a field name (or comma separated list of field names) within the secret; the SecretGeneratorController will pick up this annotation and add a field [or fields] (passwordin the example below) to the secret with a randomly generated string value. From here.
$ kubectl apply -f mysecret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
annotations:
secret-generator.v1.mittwald.de/autogenerate: password
data:
username: UGxlYXNlQWNjZXB0Cg==After applying this secret you can take a look at it to check if the passward was generated as expected:
$ kubectl get secrets mysecret -o yaml
apiVersion: v1
data:
password: dnVKTDBJZ0tFS1BacmtTMnBuc3d2YWs2YlZsZ0xPTUFKdStDa3dwUQ==
username: UGxlYXNlQWNjZXB0Cg==
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"username":"UGxlYXNlQWNjZXB0Cg=="},"kind":"Secret","metadata":{"annotations":{"secret-generator.v1.mittwald.de/autogenerate":"password"},"name":"mysecret","namespace":"default"}}
secret-generator.v1.mittwald.de/autogenerate: password
secret-generator.v1.mittwald.de/autogenerate-generated-at: 2020-01-09 14:29:44.397648062
+0000 UTC m=+664.011602557
secret-generator.v1.mittwald.de/secure: "yes"
creationTimestamp: "2020-01-09T14:29:44Z"
name: mysecret
namespace: default
resourceVersion: "297425"
selfLink: /api/v1/namespaces/default/secrets/mysecret
uid: 7ae42d71-32ec-11ea-92b3-42010a800009
type: Opaque
As we can see, the password was generated and it's encrypted as you need.
Kubernetes natively does not have this functionality.
If you want to perform this yourself manually check out this question
If you want to automate this manual task then you can use this custom controller to perform this.
Add the annotation secret-generator.v1.mittwald.de/autogenerate to any Kubernetes secret object. The value of the annotation can be a field name (or comma separated list of field names) within the secret; the SecretGeneratorController will pick up this annotation and add a field [or fields] (password in the example below) to the secret with a randomly generated string value
You can do this too:
$ head /dev/urandom | tr -dc A-Za-z0-9 | head -c 8 ; echo '' | base64 | kubectl create secret generic mysecret --from-literal=password=-The inconvenient is that you need to change secret name every time you run the command, but looks like you already have a mechanism to generate random secret names.
Note: change the number in head -c 8 to control the length of the string.