Secrets in Kubernetes
Note: Storing Spinnaker secrets in a Kubernetes secret is only supported if you’re using the Operator to deploy and manage Spinnaker. Additionally, you cannot encrypt configuration secrets for the UI (Deck) using the Kubernetes secret engine.
Creating a Kubernetes secret for Spinnaker to use
This example uses a Kubernetes secret to store GitHub credentials and a kubeconfig file.
SpinnakerTM can read secrets only within its own namespace. It cannot access Kubernetes secrets stored in a different namespace. In this document, assume that Spinnaker lives in the namespace
You can store files as well as individual text values in Kubernetes secrets to be referenced by Spinnaker. To create the secret you can use this command, assuming you have a file named
kubeconfig-prod where you are running the command:
kubectl -n spinnaker create secret generic spin-secrets \ --from-file=kubeconfig-prod \ --from-literal=github-token=aaaaaabbbbbbbbccccccccc
The command will create a secret named
spin-secrets in the
spinnaker namespace, having two keys: one is a kubeconfig file with key
kubeconfig-prod , and the other is a text value for a GitHub token with key
Kustomize also has a secret generator, so you can automatically deploy secrets using Kustomize along with the
SpinnakerService manifest. This is a
kustomization.yml file that creates the same secret as above:
apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization secretGenerator: - name: spin-secrets files: - kubeconfig-prod literals: - github-token=aaaaaabbbbbbbbccccccccc
You reference secret values in your config with the following format:
encrypted:k8s!n:<secret name>!k:<secret key>
Similarly you can reference secret files:
encryptedFile:k8s!n:<secret name>!k:<secret key>
For example, to reference the GitHub token:
And to reference the content of our kubeconfig file:
Was this page helpful?
Thank you for letting us know!
Sorry to hear that. Please tell us how we can improve.
Last modified December 9, 2022: (77a2e50)