Skip to content

Secret Stores

The table below describes the list of actions that can be performed on "Secret Store" using the RCTL CLI Utility.

Resource Create Get Update Apply Delete
Secret Store YES YES YES YES YES

A declarative approach (YAML files) to lifecycle management of Secret Store is strongly recommended that are version controlled in your Git repository.

Create Secret Stores

Use the below command to create a secret store and this creates a secret store in both UI and Git Repo

./rctl create secretstore -f <filename.yaml>

An illustrative example of the secret store spec YAML file is shown below

apiVersion: integrations.k8smgmt.io/v3
kind: SecretStore
metadata:
    name: testdemo03
    project: defaultproject
    displayName: testdemo03
spec:
    provider: Vault
    config:
        vault:
            host:
            clusters:
            - authPath: authpath01testdemo03
              clusterName: tb98cl02
              vaultNamespace: vns01testdemo03

Update Secret Stores

Use the below command to update the changes performed in the secret store yaml file and this update gets reflected in both UI and Git Repo

./rctl update secretstore -f <filenam.yaml>

Apply Secret Store

Use the below apply command to create new resource(s) or changes in the yaml file

./rctl apply -f yamlfile.yaml

Wait Flag

RCTL provides an option for the users to wait and block the long running operations. When an automation pipeline logic becomes extremely convoluted, enabling the --wait flag helps to block and keep pulling the status (example: success/failure)

Flag Create Update Apply
--wait YES YES YES

Below is an example of the successful secret store creation with -wait flag

./rctl create secretstore -f demo-file.yaml --wait

status[0]: vault integration process in progress...

status[1]: vault integration process in progress...

status[2]: vault integration process in progress...

status[3]: vault integration process in progress...

status[4]: vault integration process in progress...

status[5]: vault integration process in progress...

status[6]: vault integration process in progress...

status[7]: vault integration process in progress...

status[8]: vault integration process in progress...

NOTE: vault integration successful for cluster tb98cl02:

Kubernetes Host: https://192.168.49.2:8443

Token Reviewer JWT: eyJhbGciOiJSUzI1NiIsImtpZCI6IjJVYTB4cFI0eFlpQl8yZnZ3S19tM0x1LUNmRnYxcy1QQ0FFdDZQd2xaSEUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJyYWZheS1zeXN0ZW0iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoidmF1bHQtYXV0aC10b2tlbi12cjR4YiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ2YXVsdC1hdXRoIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNTE2MWUzYjYtMTkwZi00YzU3LWE4OTItODYxYjYwNmNmODU2Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OnJhZmF5LXN5c3RlbTp2YXVsdC1hdXRoIn0.nkvZxkixPTkHzArjB6fIcwN9W9HTOa7u-rDdYNJZp2ppMI9ZqEJmFn3nvA20vQdoQUZiQZUil20dsJKTLU5h541bQ7tE-ay-F1Fv6OuqFqnGlQEYk1DilmY9ak_By7fSKhT-HD0H4KySUFFEI_tvd7EoRfdBsSbje6obTa1cWjKWb3YXHzFg_XZh6Qi_uBE2JTMcW8RAnerRcd0B3xWn2ga9kshIkgaKIS6kIcAErpeIbunVVLHgVXsU4_DSxYwPTkVGyWlmLNSx48F2x9jspsKJz6cTHGo6BwdaF93vmFig4MNaVtRmvw1I8yFVOPeTSMtUY64crwQw7qVi316ZxA

Kubernetes CA Cert: -----BEGIN CERTIFICATE-----
MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
a3ViZUNBMB4XDTIxMTExNTA1MjAyN1oXDTMxMTExNDA1MjAyN1owFTETMBEGA1UE
AxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANvY
wExFh9LqR+JAcCE+gAHQdOSouxbwqYzA3EVF5JcsSSCR53JlprcCc4EJ1VmfSUbw
EOTe+Lto63Q7TuHd4Li03ab+X7E7WrE8wgKHZ/ucy4AErkfG39SaUxorqAC4GnbX
AGdlbJm92Rls0otY4BhVLyrRdRM7AhEknZ1IvczZKTKmRGrdAt1ns/yvjgNJYlYE
JXfUh5tbCwfaNeLUWZ8NV8+fP15vslh3vKzp2hyh71LhS4i9Yb2ZhLG5UDk67til
Z0fCN8acRLhm3Hlf0OFuKgRAbBYyG9HWKDgHUEEfQdqCHefugKXfeIw6Y3R9+4vo
HEmkEkuqq8eH6UqIeg0CAwEAAaNhMF8wDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBReBHaWhc5Kpr4ooK+RyfSQYrt8QjANBgkqhkiG9w0BAQsFAAOCAQEAKtoQVeG4
SpIQWlCd7TMC2MBw3aCmZnF89lKwP/YqfTPJwmIBiaHPn0SU/sx83zAaHBDDpvHE
+0/G4aWhgtKQ/tIVJ1ejMaA89OcC9UyLP3FiK9iVwxkirPINV8Tudvodfr0m2Mjh
cxWHaYKrZzAnX63R4ITpeovLeuz99Z60Ggbz6n8aF+AZSk0Jqyi7XkBVraMsY8M6
uP8DnWYjOX1Wa+kJMa7d/una1m5ADapn+sNwivWg1AVXR6YtUZPlKCnRNPpD1IUg
SWKBGjiKhqS/aGLU5DXy1C++vq4AZJ1ZzduYqwbHFz1jW9vCJF9yMWy4biVKlupv
PT4Vsp6JQepAKA==
-----END CERTIFICATE-----

Failed Scenario

Below is an example of failed scenario when using the --wait flag during the creation of a secret store

./rctl create secretstore -f demo-file1.yaml --wait
Error: Vault integration failed for cluster tb98cl02 with reason: Cluster already has active vault integration

List Secret Stores

Use the below command to get the list of secret stores and its details

./rctl get secretstore
+-------------------+----------+---------------------------------+------------+------------------------------+
| SECRET STORE NAME | PROVIDER | HOST                            | CLUSTER(S) | LAST MODIFIED                |
+-------------------+----------+---------------------------------+------------+------------------------------+
| testdemo02        | Vault    | https://www.testdemo01.com:8000 | 1          | Tue Mar  8 01:56:55 UTC 2022 |
+-------------------+----------+---------------------------------+------------+------------------------------+
| testdemo01        | Vault    | https://www.testdemo01.com:8000 | 1          | Mon Mar  7 07:12:26 UTC 2022 |
+-------------------+----------+---------------------------------+------------+------------------------------+

To view a specific secret store details, use the below command

./rctl get secretstore testdemo01
+-------------------+
| SECRET STORE NAME |
+-------------------+
| testdemo01        |
+-------------------+

NOTE: vault integration successful for cluster tb98cl02:

Kubernetes Host: https://192.168.49.2:8443

Token Reviewer JWT: eyJhbGciOiJSUzI1NiIsImtpZCI6IjJVYTB4cFI0eFlpQl8yZnZ3S19tM0x1LUNmRnYxcy1QQ0FFdDZQd2xaSEUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJyYWZheS1zeXN0ZW0iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoidmF1bHQtYXV0aC10b2tlbi12cjR4YiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ2YXVsdC1hdXRoIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNTE2MWUzYjYtMTkwZi00YzU3LWE4OTItODYxYjYwNmNmODU2Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OnJhZmF5LXN5c3RlbTp2YXVsdC1hdXRoIn0.nkvZxkixPTkHzArjB6fIcwN9W9HTOa7u-rDdYNJZp2ppMI9ZqEJmFn3nvA20vQdoQUZiQZUil20dsJKTLU5h541bQ7tE-ay-F1Fv6OuqFqnGlQEYk1DilmY9ak_By7fSKhT-HD0H4KySUFFEI_tvd7EoRfdBsSbje6obTa1cWjKWb3YXHzFg_XZh6Qi_uBE2JTMcW8RAnerRcd0B3xWn2ga9kshIkgaKIS6kIcAErpeIbunVVLHgVXsU4_DSxYwPTkVGyWlmLNSx48F2x9jspsKJz6cTHGo6BwdaF93vmFig4MNaVtRmvw1I8yFVOPeTSMtUY64crwQw7qVi316ZxA

Kubernetes CA Cert: -----BEGIN CERTIFICATE-----
MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
a3ViZUNBMB4XDTIxMTExNTA1MjAyN1oXDTMxMTExNDA1MjAyN1owFTETMBEGA1UE
AxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANvY
wExFh9LqR+JAcCE+gAHQdOSouxbwqYzA3EVF5JcsSSCR53JlprcCc4EJ1VmfSUbw
EOTe+Lto63Q7TuHd4Li03ab+X7E7WrE8wgKHZ/ucy4AErkfG39SaUxorqAC4GnbX
AGdlbJm92Rls0otY4BhVLyrRdRM7AhEknZ1IvczZKTKmRGrdAt1ns/yvjgNJYlYE
JXfUh5tbCwfaNeLUWZ8NV8+fP15vslh3vKzp2hyh71LhS4i9Yb2ZhLG5UDk67til
Z0fCN8acRLhm3Hlf0OFuKgRAbBYyG9HWKDgHUEEfQdqCHefugKXfeIw6Y3R9+4vo
HEmkEkuqq8eH6UqIeg0CAwEAAaNhMF8wDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBReBHaWhc5Kpr4ooK+RyfSQYrt8QjANBgkqhkiG9w0BAQsFAAOCAQEAKtoQVeG4
SpIQWlCd7TMC2MBw3aCmZnF89lKwP/YqfTPJwmIBiaHPn0SU/sx83zAaHBDDpvHE
+0/G4aWhgtKQ/tIVJ1ejMaA89OcC9UyLP3FiK9iVwxkirPINV8Tudvodfr0m2Mjh
cxWHaYKrZzAnX63R4ITpeovLeuz99Z60Ggbz6n8aF+AZSk0Jqyi7XkBVraMsY8M6
uP8DnWYjOX1Wa+kJMa7d/una1m5ADapn+sNwivWg1AVXR6YtUZPlKCnRNPpD1IUg
SWKBGjiKhqS/aGLU5DXy1C++vq4AZJ1ZzduYqwbHFz1jW9vCJF9yMWy4biVKlupv
PT4Vsp6JQepAKA==
-----END CERTIFICATE-----

Delete Secret Store(s)

Use the below command to delete a secret store

./rctl delete secretstore <secretstore_name>

(or)

./rctl delete secretstore -f <filename.yaml>