Problem Summary:
I am using Kustomize to generate a secret using secretGenerator, and I need to reference this secret in a Deployment. Kustomize is appending a unique hash suffix to the secret name, and I'm unable to reference the generated secret by name in my Deployment.
Previous Approach and Current Challenge:
In the past, I used vars to capture the metadata.name of the secret and place it where needed. Since vars have been deprecated, I now use replacements, but this approach does not include the necessary hash suffix. From what I've gathered, it seems replacements won't have this functionality either going forward. Disabling the hashing feels like a hack and not best practice. Using Name Reference Transformers seems more static and harder to maintain than the old vars solution.
Reproducible Structure:
A reproducible version of the problem has this struture
├── base
│ ├── application
│ │ ├── deployment.yml
│ │ └── kustomization.yml
│ └── secrets
│ ├── kustomization.yml
│ └── my-secret.env
├── components
│ └── replacements_component
│ └── kustomization.yml
└── overlay
└── instance
└── kustomization.yml
Code Snippets and Configuration:
base/application/deployment.yaml and base/application/kustomization.yaml looks like this:
kind: Deployment
apiVersion: apps/v1
metadata:
name: test
spec:
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
containers:
- name: test
env:
- name: test
value: REPLACE
-----------------------------
resources:
- ./deployment.yml
The base/secrets/kustomization.yaml looks like this:
secretGenerator:
- name: my-secret
env: my-secret.env
The components/replacements_component/kustomization.yml looks like this:
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component
replacements:
- source:
kind: Secret
name: my-secret
targets:
- select:
kind: Deployment
name: test
fieldPaths:
- spec.template.spec.containers.[name=test].env.[name=test].value
This is the overlay kustomization file:
namespace: test-deployment
resources:
- ../../base/application/
- ../../base/secrets/
components:
- ../../components/replacements_component
Actual vs Desired Output:
When kustomize build is run, I get the following output:
apiVersion: v1
data: {}
kind: Secret
metadata:
name: my-secret-46f8b28mk5
namespace: test-deployment
type: Opaque
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: test
namespace: test-deployment
spec:
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
containers:
- env:
- name: test
value: my-secret
name: test
This is the desired output:
apiVersion: v1
data: {}
kind: Secret
metadata:
name: my-secret-46f8b28mk5
namespace: test-deployment
type: Opaque
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: test
namespace: test-deployment
spec:
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
containers:
- env:
- name: test
value: my-secret-46f8b28mk5
name: test
Questions and Help Needed:
How can I capture the generated secret name, including the hash suffix, and use it as a replacement in my Deployment? Is there a best practice for handling this scenario without resorting to disabling hashing or using more static solutions?
EDIT: As pointed out it is possible to use the 'valueFrom.secretKeyRef' and 'envFrom.secretRef' in the specific deployment. That would work here specifically but in other cases like this:
volumes:
- name: my-volume
azureFile:
secretName: temp-name
shareName: temp-shareName
It is not possible to use the above mentioned references. Targeting the secret with replacements only gives the non-suffix name of the secret
