3

I have yaml which I used to create a secret using below command.

kubectl create secret generic -n <NAMESPACE> gitlab-openid-connect --from-file=provider=provider.yaml

below is Provider.yaml:

name: 'openid_connect'
label: 'OpenID SSO Login'
args:
  name: 'openid_connect'
  scope: ['openid','profile','email']
  response_type: 'code'
  issuer: 'https://keycloak.example.com/auth/realms/myrealm'
  discovery: true
  client_auth_method: 'basic'
  client_options:
    identifier: 'gitlab.example.com-oidc'
    secret: '<keycloak clientID secret>'
    redirect_uri: 'https://gitlab.example.com/users/auth/openid_connect/callback'

I want to convert it into a Secret yaml file so that I can run kubectl apply -f provider.yaml

I tried to create below file but it does not work, provider-new.yaml

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: 'openid_connect'
  label: 'OpenID SSO Login'
data:
  scope: ['openid','profile','email']
  response_type: 'code'
  issuer: 'url'
  discovery: true
  client_auth_method: 'basic'
  client_options:
    identifier: 'identifier'
    secret: 'secret-key'
    redirect_uri: 'url'
PLASMA chicken
  • 2,777
  • 2
  • 15
  • 25
Umesh Kumar
  • 1,387
  • 2
  • 16
  • 34

1 Answers1

7

To make this work you need to use --from-env-file instead --from-file. And the file containing the variables should be in the plain text.

To create a Secret from one or more files, use --from-file or --from-env-file. The file must be plaintext, but the extension of the file does not matter.

When you create the Secret using --from-file, the value of the Secret is the entire contents of the file. If the value of your Secret contains multiple key-value pairs, use --from-env-file instead.

File provider.yaml with variables:

scope= ['openid','profile','email']
response_type= 'code'
issuer= 'url'
discovery= true
client_auth_method= 'basic'
identifier= 'identifier'
secret= 'secret-key'
redirect_uri= 'url'

kubectl create secret generic -n default gitlab-openid-connect --from-env-file=provider.yaml

Result:

apiVersion: v1
data:
  client_auth_method: ICdiYXNpYyc=
  discovery: IHRydWU=
  identifier: ICdpZGVudGlmaWVyJw==
  issuer: ICd1cmwn
  redirect_uri: ICd1cmwn
  response_type: ICdjb2RlJw==
  scope: IFsnb3BlbmlkJywncHJvZmlsZScsJ2VtYWlsJ10=
  secret: ICdzZWNyZXQta2V5Jw==
kind: Secret
metadata:
  creationTimestamp: null
  name: gitlab-openid-connect
  namespace: default

Another thing is that isn't possible to establish a hierarchy in the secret data scope, so the following isn't gonna work:

client_options
  identifier= 'identifier'
  secret= 'secret-key'
  redirect_uri= 'url'

source: google cloud

Daniel Marques
  • 1,249
  • 8
  • 17
  • Thanks for your reply Daniel , i thought hierarchy in the secret data scope can be achieved – Umesh Kumar Oct 30 '20 at 15:57
  • 1
    @UmeshKumar, I appreciate your comment, but an upvote or mark my answer as the right if it helped you with your question is even better. – Daniel Marques Oct 30 '20 at 17:21
  • Nice work, upvoted (particularly for the namespace option). But shouldn't `--from-env-file=provider.yaml` be instead: `--from-env-file=~/.secrets/gitlab-openid-connect.txt` (using TXT not YAML, and a more private location?) – mirekphd Mar 08 '23 at 09:36