Secret Stores
The table below describes the list of actions that can be performed on Secret Store using the RCTL CLI Utility.
| Resource | Create | Get | Update | Apply | Delete |
|---|---|---|---|---|---|
| Secret Store | YES | YES | YES | YES | YES |
A declarative approach (YAML files) to lifecycle management of Secret Store is strongly recommended that are version controlled in your Git repository.
Create Secret Stores¶
Use the below command to create a secret store and this creates a secret store in both UI and Git Repo
./rctl create secretstore -f <filename.yaml>
Vault Provider¶
An illustrative example of the secret store spec YAML file is shown below for the Vault provider
apiVersion: integrations.k8smgmt.io/v3
kind: SecretStore
metadata:
name: testdemo03
project: defaultproject
displayName: testdemo03
spec:
provider: Vault
config:
vault:
host:
clusters:
- authPath: authpath01testdemo03
clusterName: tb98cl02
vaultNamespace: vns01testdemo03
CSI - AWS¶
An illustrative example of the secret store spec YAML file is shown below for the CSI - AWS provider
apiVersion: integrations.k8smgmt.io/v3
kind: SecretStore
metadata:
name: test-secretstore
project: defaultproject
spec:
config:
csiAws:
clusters:
- clusterName: csi-demo
irsa:
- roleArn: arn:aws:iam::999999999999:role/user1-test-dtho
serviceAccountName: demo-sa
serviceAccountNamespace: newns
provider: CsiAws
Update Secret Stores¶
Use the below command to update the changes performed in the secret store yaml file and this update gets reflected in both UI and Git Repo
./rctl update secretstore -f <filenam.yaml>
Apply Secret Store¶
Use the below apply command to create new resource(s) or changes in the yaml file
./rctl apply -f yamlfile.yaml
Wait Flag¶
RCTL provides an option for the users to wait and block the long running operations. When an automation pipeline logic becomes extremely convoluted, enabling the --wait flag helps to block and keep pulling the status (example: success/failure)
| Flag | Create | Update | Apply |
|---|---|---|---|
| --wait | YES | YES | YES |
Below is an example of the successful secret store creation with -wait flag
./rctl create secretstore -f demo-file.yaml --wait
status[0]: vault integration process in progress...
status[1]: vault integration process in progress...
status[2]: vault integration process in progress...
status[3]: vault integration process in progress...
status[4]: vault integration process in progress...
status[5]: vault integration process in progress...
status[6]: vault integration process in progress...
status[7]: vault integration process in progress...
status[8]: vault integration process in progress...
NOTE: vault integration successful for cluster tb98cl02:
Kubernetes Host: https://192.168.49.2:8443
Token Reviewer JWT: eyJhbGciOiJSUzI1NiIsImtpZCI6IjJVYTB4cFI0eFlpQl8yZnZ3S19tM0x1LUNmRnYxcy1QQ0FFdDZQd2xaSEUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJyYWZheS1zeXN0ZW0iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoidmF1bHQtYXV0aC10b2tlbi12cjR4YiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ2YXVsdC1hdXRoIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNTE2MWUzYjYtMTkwZi00YzU3LWE4OTItODYxYjYwNmNmODU2Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OnJhZmF5LXN5c3RlbTp2YXVsdC1hdXRoIn0.nkvZxkixPTkHzArjB6fIcwN9W9HTOa7u-rDdYNJZp2ppMI9ZqEJmFn3nvA20vQdoQUZiQZUil20dsJKTLU5h541bQ7tE-ay-F1Fv6OuqFqnGlQEYk1DilmY9ak_By7fSKhT-HD0H4KySUFFEI_tvd7EoRfdBsSbje6obTa1cWjKWb3YXHzFg_XZh6Qi_uBE2JTMcW8RAnerRcd0B3xWn2ga9kshIkgaKIS6kIcAErpeIbunVVLHgVXsU4_DSxYwPTkVGyWlmLNSx48F2x9jspsKJz6cTHGo6BwdaF93vmFig4MNaVtRmvw1I8yFVOPeTSMtUY64crwQw7qVi316ZxA
Kubernetes CA Cert: -----BEGIN CERTIFICATE-----
MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
a3ViZUNBMB4XDTIxMTExNTA1MjAyN1oXDTMxMTExNDA1MjAyN1owFTETMBEGA1UE
AxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANvY
wExFh9LqR+JAcCE+gAHQdOSouxbwqYzA3EVF5JcsSSCR53JlprcCc4EJ1VmfSUbw
EOTe+Lto63Q7TuHd4Li03ab+X7E7WrE8wgKHZ/ucy4AErkfG39SaUxorqAC4GnbX
AGdlbJm92Rls0otY4BhVLyrRdRM7AhEknZ1IvczZKTKmRGrdAt1ns/yvjgNJYlYE
JXfUh5tbCwfaNeLUWZ8NV8+fP15vslh3vKzp2hyh71LhS4i9Yb2ZhLG5UDk67til
Z0fCN8acRLhm3Hlf0OFuKgRAbBYyG9HWKDgHUEEfQdqCHefugKXfeIw6Y3R9+4vo
HEmkEkuqq8eH6UqIeg0CAwEAAaNhMF8wDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBReBHaWhc5Kpr4ooK+RyfSQYrt8QjANBgkqhkiG9w0BAQsFAAOCAQEAKtoQVeG4
SpIQWlCd7TMC2MBw3aCmZnF89lKwP/YqfTPJwmIBiaHPn0SU/sx83zAaHBDDpvHE
+0/G4aWhgtKQ/tIVJ1ejMaA89OcC9UyLP3FiK9iVwxkirPINV8Tudvodfr0m2Mjh
cxWHaYKrZzAnX63R4ITpeovLeuz99Z60Ggbz6n8aF+AZSk0Jqyi7XkBVraMsY8M6
uP8DnWYjOX1Wa+kJMa7d/una1m5ADapn+sNwivWg1AVXR6YtUZPlKCnRNPpD1IUg
SWKBGjiKhqS/aGLU5DXy1C++vq4AZJ1ZzduYqwbHFz1jW9vCJF9yMWy4biVKlupv
PT4Vsp6JQepAKA==
-----END CERTIFICATE-----
Failed Scenario¶
Below is an example of failed scenario when using the --wait flag during the creation of a secret store
./rctl create secretstore -f demo-file1.yaml --wait
Error: Vault integration failed for cluster tb98cl02 with reason: Cluster already has active vault integration
List Secret Stores¶
Use the below command to get the list of secret stores and its details
./rctl get secretstore
+-------------------+----------+---------------------------------+------------+------------------------------+
| SECRET STORE NAME | PROVIDER | HOST | CLUSTER(S) | LAST MODIFIED |
+-------------------+----------+---------------------------------+------------+------------------------------+
| testdemo02 | Vault | https://www.testdemo01.com:8000 | 1 | Tue Mar 8 01:56:55 UTC 2022 |
+-------------------+----------+---------------------------------+------------+------------------------------+
| testdemo01 | Vault | https://www.testdemo01.com:8000 | 1 | Mon Mar 7 07:12:26 UTC 2022 |
+-------------------+----------+---------------------------------+------------+------------------------------+
To view a specific secret store details, use the below command
./rctl get secretstore testdemo01
+-------------------+
| SECRET STORE NAME |
+-------------------+
| testdemo01 |
+-------------------+
NOTE: vault integration successful for cluster tb98cl02:
Kubernetes Host: https://192.168.49.2:8443
Token Reviewer JWT: eyJhbGciOiJSUzI1NiIsImtpZCI6IjJVYTB4cFI0eFlpQl8yZnZ3S19tM0x1LUNmRnYxcy1QQ0FFdDZQd2xaSEUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJyYWZheS1zeXN0ZW0iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoidmF1bHQtYXV0aC10b2tlbi12cjR4YiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ2YXVsdC1hdXRoIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNTE2MWUzYjYtMTkwZi00YzU3LWE4OTItODYxYjYwNmNmODU2Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OnJhZmF5LXN5c3RlbTp2YXVsdC1hdXRoIn0.nkvZxkixPTkHzArjB6fIcwN9W9HTOa7u-rDdYNJZp2ppMI9ZqEJmFn3nvA20vQdoQUZiQZUil20dsJKTLU5h541bQ7tE-ay-F1Fv6OuqFqnGlQEYk1DilmY9ak_By7fSKhT-HD0H4KySUFFEI_tvd7EoRfdBsSbje6obTa1cWjKWb3YXHzFg_XZh6Qi_uBE2JTMcW8RAnerRcd0B3xWn2ga9kshIkgaKIS6kIcAErpeIbunVVLHgVXsU4_DSxYwPTkVGyWlmLNSx48F2x9jspsKJz6cTHGo6BwdaF93vmFig4MNaVtRmvw1I8yFVOPeTSMtUY64crwQw7qVi316ZxA
Kubernetes CA Cert: -----BEGIN CERTIFICATE-----
MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
a3ViZUNBMB4XDTIxMTExNTA1MjAyN1oXDTMxMTExNDA1MjAyN1owFTETMBEGA1UE
AxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANvY
wExFh9LqR+JAcCE+gAHQdOSouxbwqYzA3EVF5JcsSSCR53JlprcCc4EJ1VmfSUbw
EOTe+Lto63Q7TuHd4Li03ab+X7E7WrE8wgKHZ/ucy4AErkfG39SaUxorqAC4GnbX
AGdlbJm92Rls0otY4BhVLyrRdRM7AhEknZ1IvczZKTKmRGrdAt1ns/yvjgNJYlYE
JXfUh5tbCwfaNeLUWZ8NV8+fP15vslh3vKzp2hyh71LhS4i9Yb2ZhLG5UDk67til
Z0fCN8acRLhm3Hlf0OFuKgRAbBYyG9HWKDgHUEEfQdqCHefugKXfeIw6Y3R9+4vo
HEmkEkuqq8eH6UqIeg0CAwEAAaNhMF8wDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBReBHaWhc5Kpr4ooK+RyfSQYrt8QjANBgkqhkiG9w0BAQsFAAOCAQEAKtoQVeG4
SpIQWlCd7TMC2MBw3aCmZnF89lKwP/YqfTPJwmIBiaHPn0SU/sx83zAaHBDDpvHE
+0/G4aWhgtKQ/tIVJ1ejMaA89OcC9UyLP3FiK9iVwxkirPINV8Tudvodfr0m2Mjh
cxWHaYKrZzAnX63R4ITpeovLeuz99Z60Ggbz6n8aF+AZSk0Jqyi7XkBVraMsY8M6
uP8DnWYjOX1Wa+kJMa7d/una1m5ADapn+sNwivWg1AVXR6YtUZPlKCnRNPpD1IUg
SWKBGjiKhqS/aGLU5DXy1C++vq4AZJ1ZzduYqwbHFz1jW9vCJF9yMWy4biVKlupv
PT4Vsp6JQepAKA==
-----END CERTIFICATE-----
Delete Secret Store(s)¶
Use the below command to delete a secret store
./rctl delete secretstore <secretstore_name>
(or)
./rctl delete secretstore -f <filename.yaml>