Who are the tallest Kubernetes users

From our Kubernetes toolbox: the Secret Generator

For some time now, we have been operating most of our own infrastructure (e.g. the platform behind our customer center) on the Kubernetes container orchestration platform. Because we always strive to automate recurring tasks, we have developed a number of Kubernetes operators over the years. We have made many of them freely available under open source licenses on Github and would like to introduce them to you in a small blog series. Today in focus: the Kubernetes Secret Generator.
  1. Secret what?
  2. installation
  3. Generate passwords
  4. Use generated passwords
  5. Regenerate passwords
  6. Summary
  7. Feedback

Secrets can be used for anything in Kubernetes. In a secret, for example, a TLS certificates, access data to a container registry or old-fashioned passwords can be stored.

When starting an application on Kubernetes, you may have to enter a password, which is actually only required for the application itself. This can happen if a database container is started as a Kubernetes pod with a specific user password and an application, also started as a pod, is supposed to use this password. In such cases, the actual content of a password is not so important as long as it is known to both containers and is sufficiently secure - that is long enough and from a cryptographically secure random source created. This is where the Kubernetes Secret Generator comes into play. This can be started as an additional component in your Kubernetes cluster and then automatically create certain types of secrets such as passwords or SSH key pairs.

The way I recommend installing the Secret Generator uses the popular deployment tool Helm. To do this, you first have to Mittwald Helm Repository to install:

Then you can install the operator via `helm install` or` helm upgrade --install`:

This command installs the secret generator, which is now available as a own pod in the `kube-system` namespace running.

Once the operator has been installed, it is sufficient to add a Annotation named `secret-generator.v1.mittwald.de / autogenerate` assign. This can be B. look like this:

This secret already contains a value under the key `username` (the value` bWFydGlu` is just a Base64-encoded `martin`). The annotation instructs the secret generator to add another key `password` to this secret, which should contain an automatically generated password.

After creating this secret, a subsequent `kubectl get secret my-generated-secret -oyaml` should result in the following output (of course with an individually and guaranteed randomly generated password!):

Use generated passwords

The passwords generated by the secret generator can then be used like normal Kubernetes secrets. If you z. B. want to start a MySQL container (more on this in the official documentation), you can use the password generated above with the following snippet as the root password. You should add the snippet to the `.env` list of the pod template in the` Deployment` or `StatefulSet`.

Regenerate passwords

Every now and then you may want to rotate a password - be it because someone saw it who shouldn't have seen it, or as a purely precautionary measure. The Secret Generator also supports this: All you have to do is set the annotation `secret-generator.v1.mittwald.de / regenerate` in any secret object:

If you want to be completely on the safe side, you can also use a similar command reassign all automatically generated passwords:

The Kubernetes Secret Generator relieves us of the work of assigning an additional password for each additional application and then having to manage it. Also from Security perspective he makes our life easier: Ours Deployment pipelines no longer have to bother with passwords at all. They simply say: "Dear app, please generate your database password yourself and keep it to yourself". The generated passwords do not need to leave the Kubernetes cluster at any time. And via RBAC, unauthorized persons can be completely denied access to `Secret` objects.

Do you have suggestions, feedback or bug reports for the secret generator? We are happy to receive this as a Github issue. Exceptions here, however, are reports of security vulnerabilities. In this case, please note the security policy of the project and use the contact options given there. :-)

Martin is a software architect and is enthusiastic about current topics in software and web development. He is also co-author of the books "Praxiswissen TYPO3" and "Zukunftssafere TYPO3-Extensions mit Extbase & Fluid" (both published by O'Reilly-Verlag.)