Who are the tallest Kubernetes users
From our Kubernetes toolbox: the Secret Generator
- Secret what?
- Generate passwords
- Use generated passwords
- Regenerate passwords
Secrets can be used for anything in Kubernetes. In a secret, for example, a TLS certificates, access data to a container registry or old-fashioned passwords can be stored.
When starting an application on Kubernetes, you may have to enter a password, which is actually only required for the application itself. This can happen if a database container is started as a Kubernetes pod with a specific user password and an application, also started as a pod, is supposed to use this password. In such cases, the actual content of a password is not so important as long as it is known to both containers and is sufficiently secure - that is long enough and from a cryptographically secure random source created. This is where the Kubernetes Secret Generator comes into play. This can be started as an additional component in your Kubernetes cluster and then automatically create certain types of secrets such as passwords or SSH key pairs.
The way I recommend installing the Secret Generator uses the popular deployment tool Helm. To do this, you first have to Mittwald Helm Repository to install:
Then you can install the operator via `helm install` or` helm upgrade --install`:
This command installs the secret generator, which is now available as a own pod in the `kube-system` namespace running.
Once the operator has been installed, it is sufficient to add a Annotation named `secret-generator.v1.mittwald.de / autogenerate` assign. This can be B. look like this:
This secret already contains a value under the key `username` (the value` bWFydGlu` is just a Base64-encoded `martin`). The annotation instructs the secret generator to add another key `password` to this secret, which should contain an automatically generated password.
After creating this secret, a subsequent `kubectl get secret my-generated-secret -oyaml` should result in the following output (of course with an individually and guaranteed randomly generated password!):
Use generated passwords
The passwords generated by the secret generator can then be used like normal Kubernetes secrets. If you z. B. want to start a MySQL container (more on this in the official documentation), you can use the password generated above with the following snippet as the root password. You should add the snippet to the `.env` list of the pod template in the` Deployment` or `StatefulSet`.
Every now and then you may want to rotate a password - be it because someone saw it who shouldn't have seen it, or as a purely precautionary measure. The Secret Generator also supports this: All you have to do is set the annotation `secret-generator.v1.mittwald.de / regenerate` in any secret object:
If you want to be completely on the safe side, you can also use a similar command reassign all automatically generated passwords:
The Kubernetes Secret Generator relieves us of the work of assigning an additional password for each additional application and then having to manage it. Also from Security perspective he makes our life easier: Ours Deployment pipelines no longer have to bother with passwords at all. They simply say: "Dear app, please generate your database password yourself and keep it to yourself". The generated passwords do not need to leave the Kubernetes cluster at any time. And via RBAC, unauthorized persons can be completely denied access to `Secret` objects.
Do you have suggestions, feedback or bug reports for the secret generator? We are happy to receive this as a Github issue. Exceptions here, however, are reports of security vulnerabilities. In this case, please note the security policy of the project and use the contact options given there. :-)
- Will the white supremacy ever be dismantled?
- Was Spinosaurus four-legged or two-legged
- What is solid carbon in coal
- Is indulekha good for hair loss
- What is cloud computing for laypeople
- What does corporate insurance cover
- How could Germany get Prussia back?
- Should I reserve a Tesla Roadster II
- What do college seniors do
- What is the full form of GMRP
- What kind of knife do you use
- What was your neighbor from hell experience
- Should you be kinder to yourself
- What is the cheapest type of mortgage
- Is that a professional recording studio
- Explain the current political scenario of India
- War is just a business
- What are natural food sources for DHA
- What is the Hindi meaning of hard
- What is a balm for dry skin
- What did people think of communism?
- Which labels should I turn to?
- What products or services did Enron offer
- You can update an iPhone 4
- Is the PirateBay safe to use
- Lombardy should be independent as Catalonia
- What are some readable books
- How to easily cook good food
- Has the problem been solved?
- What is Tricity Chandigarh
- Eating apples helps burn stomach fat
- Is it worth buying i20
- How can you get historical Instagram data