Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Better document how the secret could be used by a pod, deployment using imagePullSecrets #58

Open
cmoulliard opened this issue Apr 1, 2022 · 3 comments
Open

Better document how the secret could be used by a pod, deployment using imagePullSecrets #58

cmoulliard opened this issue Apr 1, 2022 · 3 comments
Labels
awaiting-input carvel-accepted This issue should be considered for future work and that the triage process has been completed

Comments

@cmoulliard
Copy link

Question

Is it possible to better document how we can, post Secret, SecretExport and Secret Placeholder created consume the secret using the property imagePullSecrets within a Pod or Deployment ?

Example of resources to be created

cat <<EOF | kubectl apply -f -
---
apiVersion: v1
kind: Secret
metadata:
  name: reg-creds-docker
  namespace: demo
type: kubernetes.io/dockerconfigjson
stringData:
  .dockerconfigjson: |
    {
      "auths": {
        "index.docker.io": {
          "username": "xxxxxx",
          "password": "user",
          "auth": ""
        }
      }
    } 
---
apiVersion: secretgen.carvel.dev/v1alpha1
kind: SecretExport
metadata:
  name: reg-creds-docker
  namespace: demo
spec:
  toNamespaces:
  - "*"
---
apiVersion: v1
kind: Secret
metadata:
  name: my-reg-creds
  namespace: demo
  annotations:
    secretgen.carvel.dev/image-pull-secret: ""
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: e30K

Next, we must update the service account to patch it to set "imagePullSecrets": [{"name":"my-reg-creds"} but apparently this is not enough as no secret is copied within the namespace demo1

kc create ns demo1
kubectl patch serviceaccount default -n demo1 -p '{"imagePullSecrets": [{"name":"my-reg-creds"}]}'
kc get sa,secret -n demo1
NAME                     SECRETS   AGE
serviceaccount/default   1         100s

NAME                         TYPE                                  DATA   AGE
secret/default-token-h8cvt   kubernetes.io/service-account-token   3      100s

Question: Could the patch step be done automatically ? How ?
@cmoulliard cmoulliard added the carvel-triage This issue has not yet been reviewed for validity label Apr 1, 2022
@benmoss
Copy link
Contributor

benmoss commented May 11, 2022

Hmm, this works on my machine:

$ kubectl -n demo get secrets my-reg-creds -o json | jq -r '.data.".dockerconfigjson"' | base64 -d
{"auths":{"index.docker.io":{"username":"xxxxxx","password":"user","auth":""}}}

@joe-kimmel-vmw joe-kimmel-vmw removed the carvel-triage This issue has not yet been reviewed for validity label May 11, 2022
@joe-kimmel-vmw
Copy link
Contributor

@cmoulliard can you confirm the version of secretgen-controller you were using, and that the deployment was healthy?

@neil-hickey
Copy link
Contributor

@cmoulliard I'm just trying to follow up on this issue, did you get things working? Or are you happy to close out this issue?

@neil-hickey neil-hickey added carvel-accepted This issue should be considered for future work and that the triage process has been completed awaiting-input labels Feb 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
awaiting-input carvel-accepted This issue should be considered for future work and that the triage process has been completed
Projects
Carvel
Status: Unprioritized
Milestone
No milestone
Development

No branches or pull requests
4 participants
@benmoss @cmoulliard @neil-hickey @joe-kimmel-vmw