Kubernetes and Optional Secrets

Best practices for allowing configuration of optional secrets on Kubernetes

This content is associated with a legacy version of the Replicated product. For the current Replicated product documentation, see docs.replicated.com.

Kubernetes and Optional Secrets

When distributing a Kubernetes application using Replicated Ship, it is almost certain that your application will require access to some form of secret, whether that be API keys, database information or something else. In many cases, your application will require an encryption key to protect its data at rest. Some people will be fine with deploying these secrets in the same way as they deploy the rest of their application yaml. However, many enterprises will prefer to avoid committing secrets to version control, and instead will manage secrets yaml out-of-band.

With config options and template functions, we can satisfy both sets of customers.

First, we’ll need a boolean option for the user to select, and the data we’ll use to populate the secret. In this case, nothing is visible to or configurable by the user - but we’ll still be able to refer to it when templating assets.

config:
  v1:
  - items:
    - name: create_secret
      type: bool
      title: Create Secrets
      value: false
    - name: redis_uri
      type: text
      hidden: true
      readonly: true
      value: 'redis://redis:6379'
    - name: pusher_key
      type: text
      hidden: true
      readonly: true
      value: '{{repl RandomString 32}}'
    - name: pusher_secret
      type: text
      hidden: true
      readonly: true
      value: '{{repl RandomString 32}}'

Now we can conditionally create the secret. We’ll do this by making an inline asset that will be templated into the correct form depending on the options selected.

assets:
  v1:
    - inline:
        dest: ./k8s/redis_secret.yml
        when: '{{repl ConfigOptionEquals "create_secret" 1}}'
        contents: |
          apiVersion: v1
          kind: Secret
          metadata:
            name: redis-secret
          type: Opaque
          data:
            redisUri: "{{repl ConfigOption "redis_uri" | Base64Encode}}"
            pusherKey: "{{repl ConfigOption "pusher_key" | Base64Encode}}"
            pusherSecret: "{{repl ConfigOption "pusher_secret" | Base64Encode}}"

If the user is fine with having secrets managed by Ship, the file will be created with the relevant contents. Otherwise, no file will be created.