0

I use the elasticsearch secret function in the kubernetes environment.
There is a problem with the distribution of certificates used at this time.
I use a .p12 format certificate, which Elasticsearch uses by default. For use https, all PODs need to use Kubernetes secrets to share certificates. But,
kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt

I can not use the command like above, and I need to generate secrets with a .yaml file.
However, if I create a .yaml file, it will not be base64 encoded. How can I solve it?

Finally, I want to know how to write .yaml ? The example below does not work. https://kubernetes.io/docs/concepts/configuration/secret/

apiVersion: v1
kind: Secret
metadata:
  labels:
  name: my-certificates
  namespace: nms
type: Opaque
files: 
  - my-file
Malgorzata
  • 6,409
  • 1
  • 10
  • 27
김태우
  • 1,033
  • 1
  • 12
  • 29

2 Answers2

0

Try to create secret like this:

apiVersion: v1
kind: Secret
metadata:
  labels:
  name: my-certificates
  namespace: nms
type: Opaque
data:
  username: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm

with proper username and pasword.

Execute command:

$ kubectl apply -f your-secret.yaml

Reboot Node VM.

Then you can decode the password field:

$ echo 'MWYyZDFlMmU2N2Rm' | base64 --decode
Crou
  • 10,232
  • 2
  • 26
  • 31
Malgorzata
  • 6,409
  • 1
  • 10
  • 27
0

The command 

kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt

Works very similarly to creating secrets using manifest files (e.g. yaml or json files). kubectl will create the object using the specified parameters, and you can use the following command to get the raw manifest file:

kubectl get secret -o yaml db-user-pass

Looking on kubectl docs:

      --from-file=[]: Key files can be specified using their file path, in which case a default name will be given to
them, or optionally with a name and file path, in which case the given name will be used.  Specifying a directory will
iterate each named file in the directory that is a valid secret key.

You can do the same with your p12 file and it should just work, maybe the secret name will not be what you want. You can try doing something like:

cat > cert.yaml <<EOF
apiVersion: v1
kind: Secret
metadata:
  labels:
  name: my-certificates
  namespace: nms
type: Opaque
data:
  tls: $(cat ca.p12 | base64 | tr -d '\n')
EOF

Also, notice that you might need a different secret type, so it's best to consult the elastic search docs.

One final note: as you noticed, the secrets are base64 encoded in the manifest files - which makes it really insecure to store them on source control (or anywhere else, actually). There are a few good solutions for creating encrypted secrets that can be persisted to source control, you can read more about it in this post.

Omer Levi Hevroni
  • 1,935
  • 1
  • 15
  • 33