Skip to content

CLI

The table below describes the list of actions that can be performed on Secret Provider Classes using the RCTL CLI Utility.

Resource Create Get Update Delete
Secret Store YES YES YES YES

A declarative approach (YAML files) to lifecycle management of Secret Manager is strongly recommended that are version controlled in your Git repository.

Step 1: Add CSI Driver through Blueprint

An illustrative example of the blueprint spec YAML file to add CSI driver as Managed System add-ons with customization options

apiVersion: infra.k8smgmt.io/v3
kind: Blueprint
metadata:
  name: demo-bp-csiaws
  project: defaultproject
spec:
  base:
    name: minimal
    version: 1.13.0
  defaultAddons:
    csiSecretStoreConfig:
      enableSecretRotation: true
      providers:
        aws: true
    enableCsiSecretStore: true
    enableIngress: false
    enableLogging: false
    enableMonitoring: false
    enableVM: false
  drift:
    enabled: false
  opaPolicy: {}
  placement: {}
  psp:
    enabled: true
    scope: Cluster
  sharing:
    enabled: false
  version: v2

Use the below command to create the Blueprint

./rctl create blueprint <blueprint-name>

Step 2: Secret Provider Class

Create Secret Provider Class

Once the CSI Driver is successfully added through the blueprint, use the below command to create a secret provider class for AWS and this creates secret provider class in both UI and Git Repo

./rctl create secretproviderclass -f <file.yaml>

An illustrative example of the secret store spec YAML file is shown below

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  creationTimestamp: null
  name: new-spc-yaml
spec:
  parameters:
    objects: |
      - jmesPath:
        - objectAlias: githubtoken
          path: githubtoken
        - objectAlias: key
          path: key
        objectName: demo/testsecret
        objectType: secretsmanager
  provider: aws
status: {}

Update Secret Provider Class

Use the below command to update the changes performed in the secret provider class yaml file and this update gets reflected in both UI and Git Repo

./rctl update secretproviderclass -f <file_name.yaml>

List Secret Provider Classes

Use the below command to get the list of secret provider classes and its details

./rctl get spc
+--------------------------+----------+---------------+------------------------------------------------------------------------------------------------+---------------+
| SECRETPROVIDERCLASS NAME | PROVIDER | ARTIFACT TYPE | ARTIFACT FILES                                                                                 | REPOSITORY    |
+--------------------------+----------+---------------+------------------------------------------------------------------------------------------------+---------------+
| two                      | AWS      | Yaml          | paths:{name:"file://artifacts/two/aws-sample.yaml"}                                            |               |
+--------------------------+----------+---------------+------------------------------------------------------------------------------------------------+---------------+
| test-secret        | AWS      |               |                                                                                                      |               |
+--------------------------+----------+---------------+------------------------------------------------------------------------------------------------+---------------+
| demo-secret-wizard    | AWS      |               |                                                                                                   |               |
+--------------------------+----------+---------------+------------------------------------------------------------------------------------------------+---------------+
| test-dtho                | AWS      | Yaml          | paths:{name:"file://artifacts/test-dtho/aws-sample.yaml"}                                      |               |
+--------------------------+----------+---------------+------------------------------------------------------------------------------------------------+---------------+
| test-spc                 | AWS      |               |                                                                                                |               |
+--------------------------+----------+---------------+------------------------------------------------------------------------------------------------+---------------+
| new-spc-yaml             | AWS      | Yaml          | paths:{name:"file://artifacts/new-spc-yaml/provider-class-new-spc-wizard.yml"}                 |               |
+--------------------------+----------+---------------+------------------------------------------------------------------------------------------------+---------------+

To view a specific secret provider class details, use the below command

./rctl get spc spc-yaml-demo
+--------------------------+----------+---------------+--------------------------------------------------------------------------------------------+------------+
| SECRETPROVIDERCLASS NAME | PROVIDER | ARTIFACT TYPE | ARTIFACT FILES                                                                             | REPOSITORY |
+--------------------------+----------+---------------+--------------------------------------------------------------------------------------------+------------+
| spc-yaml-demo  | AWS      | Yaml    | paths:{name:"file://artifacts/spc-yaml-demo/provider-class-new-spc-wizard.yml"}                            |            |
+--------------------------+----------+---------------+--------------------------------------------------------------------------------------------+------------+

Delete Secret Provider Class

Use the below command to delete a secret store

./rctl delete secretproviderclass <spc_name>

(or)

./rctl delete secretproviderclass -f <filename.yaml>

Step 3: Create Secret Store

Use the below command to create a secret store to pull the secrets from AWS Secret Manager and this creates a secret store in both UI and Git Repo

./rctl create secretstore -f <filename.yaml>

Refer Secret Store for more operation details