0

I am trying to generate a Kubernetes secret from a Kubernetes job. The secret is a TLS certificate, for elasticsearch transport, I tried this job:

apiVersion: batch/v1
kind: Job
metadata:
  name: conso-security-tls-gen-certs
spec:
  template:
    spec:
      containers:
      - name: generator
        volumeMounts:
          - name: certs
            mountPath: "/certs"
        image: "docker.elastic.co/elasticsearch/elasticsearch:7.4.2"
        command: ["/bin/sh", "-c"]
        args:
        - "bin/elasticsearch-certutil ca (...) --silent -out /certs/bundle.p12"
      restartPolicy: Never
      volumes:
      - name: certs
        secret:
          secretName: conso-security-tls-certs
  backoffLimit: 4

But as https://github.com/kubernetes/kubernetes/issues/62099 said, the volume /certs is ReadOnly. Is there a way to create/edit this secret like this?

Thomas Decaux
  • 21,738
  • 2
  • 113
  • 124

1 Answers1

4

Volumes from secrets are gone once the container/pod is gone. Also, updating files in volumes created from a Secret will not update the Secret itself.

It seems that what the goal is from the Job to generate a cert and create or update a Secret object with that cert? If that is the case I'd suggest looking into using the Kubernetes API or kubectl to manipulate Secrets from within the running container. You'd need to set up and use a Service Account that has permission to work with Secrets in the given namespace.

apisim
  • 4,036
  • 1
  • 10
  • 16
  • Thanks you, I was thinking this is a very common case (generate cert via a Job, and store inside a secret). – Thomas Decaux Nov 21 '19 at 17:30
  • Usually, I think, Secrets are created in advance and referenced from environment variables or mounted as volumes. But I can also see how in a dynamic environment one may want to generate Secrets on the fly using Kubernetes Jobs. – apisim Nov 21 '19 at 17:44