Creating Data Manager Job secrets

Squonk Data Manager Knowledge Base
#1

Jobs can utilise secrets in two ways. Either as an image->pull-secret or image->environment declaration. The former is how you provide credentials to pull container images from a private registry and the latter to inject sensitive information into containers via environment variables.

At the moment secrets are installed by a cluster administrator using the kubernetes command-line (kubectl).

Creating a base64 string for use in Ansible

We often create secrets in our Ansible scripts directly from base64-encoded strings.

Read our blog-post (“Deploying container images from a private GitLab registry”), which describes the process of creating the string, which can be used as an Ansible variable value.

Creating a secret for an image pull secret

A pull secret type in Kubernetes is a kubernetes.io/dockerconfigjson type.

Just follow the Kubernetes documentation “Create a Secret by providing credentials on the command line”

For example, we could create the pull-secret im-squonk-fragmenstein for a image on GitLab’s registry that has a deploy token user data-manager and token 123456789 with: -

$ kubectl create secret docker-registry im-squonk-fragmenstein \
    --docker-server=registry.gitlab.com \
    --docker-username=data-manager \
    --docker-password=123456789

Remember, pull secrets need to be created in the Data Manager namespace.

Creating a secret as a source of image environment variables

Here we need to create a generic (Opaque) type secret. In this example we create a secret whose name is app-credentials and has two values: a username and a password: -

Environment secrets need to be created in the Data Manager namespace.

$ kubectl config set-context --current --namespace=data-manager-api
$ kubectl create secret generic app-credentials \
    --from-literal=username=user-a \
    --from-literal=password=pssword123

To inject these into the Job image you would place the following block into the Job’s image declaration, which would result in two environment variables in the container: USERNAME and PASSWORD: -

jobs:
  [...]
  secret-job:
    image:
    [...]
      environment:
      - name: USERNAME
        value-from:
          secret:
            name: app-credentials
            key: username
      - name: PASSWORD
        value-from:
          secret:
            name: app-credentials
            key: password