K
Q

Best Practice for Operators to Receive Secrets in custom resource

4/14/2020

I'm not finding any answers to this on Google but I may just not know what terms to search for.

In a CRD, is there a way to define a field in the spec that is a secret (and therefore shouldn't be stored in plain text)? For example, if the custom resource needs to have an API token included in it, how do you define that in the CRD?

One thought I had was to just have the user create a Secret outside of the CRD and then provide the secret's name in a custom resource field so the operator can query it from the K8s API on demand when needed (and obviously associated RBAC needs to be configured so the operator has read access to the Secret). So the field in the CRD would just be a normal string that is the name of the target Secret.

But is there a better way? Any existing best practices around this?

-- Freedom_Ben
kubernetes
kubernetes-custom-resources

Similar Questions

how to customize k8s nginx ingress HTTP headers error
Kubernetes Log Splitting (Stdout/Stderr)
Kubernetes pods wrting to persistent volume, need to push the logs to ElasticSearch
Unable to reuse existing Persistent Volume (GlusterFS)

1 Answer

4/14/2020

You do indeed just store the value in an actual Secret and reference it. You'll find the same pattern all over k8s. Then in your controller code you get your custom object, find the ref, get that secret, and then you have your data.

-- coderanger
Source: StackOverflow