Kustomize: SecretGenerator namespace

Created on 4 Dec 2018  路  8Comments  路  Source: kubernetes-sigs/kustomize

I am using kustomize to manage kube-prometheus. This project contains resources in multiple namespaces. I need to override a secret within the project that represents alertmanager.yaml

secretGenerator:
- name: alertmanager-main
  behavior: replace
  commands:
    alertmanager.yaml: "cat configs/alertmanager.yaml"
  type: Opaque

When I set kustomize to replace the secret I get a generated secret that doesn't match the namespace of the initial resource. I can't set a global namespace because it overrides base resources that need to stay in the kube-system namespace. Is there a better way to handle this situation?

picture rdubya16
👍1

Most helpful comment

Hi,

I've raised PR that adds namespace argument to secret and config map generators, which I hope resolves your problem.

Best regards

艁ukasz Tomaszkiewicz

picture tomaszkiewicz on 5 Dec 2018
👍3

All 8 comments

Hi,

I've raised PR that adds namespace argument to secret and config map generators, which I hope resolves your problem.

Best regards

艁ukasz Tomaszkiewicz

tomaszkiewicz picture tomaszkiewicz on 5 Dec 2018
👍3

@rdubya16 @tomaszkiewicz Sorry for delayed response on this issue. You can use namespace in the kustomization.yaml. It will set the namespace of the generated secret. Will that work for you?

Liujingfang1 picture Liujingfang1 on 5 Dec 2018

@liuhuiping2013 unfortunately namespace overrides all resources with the new namespace. Some of the resources need to be installed into kube-system

rdubya16 picture rdubya16 on 5 Dec 2018

@rdubya16 Can you separate the resources by putting the ones with the same namespace into one kustomization.yaml?

Liujingfang1 picture Liujingfang1 on 5 Dec 2018

Yes I think that would also be possible

rdubya16 picture rdubya16 on 5 Dec 2018

@rdubya16 Have you checked my PR solution? It allows you to add you a namespace parameter for each secret/cm generator like that:

secretGenerator:
- name: the-non-default-namespace-secret
  namespace: non-default
  commands:
    password.txt: "cat password.txt"
- name: the-secret
  commands:
    password.txt: "cat password.txt"

I haven't checked how it interacts with replace feature of generator because I didn't have time for it today, but I think it's a way to go to resolve problems like that.

Best regards

艁ukasz Tomaszkiewicz

tomaszkiewicz picture tomaszkiewicz on 5 Dec 2018

@tomaszkiewicz Yup I did, it seems ideal for my situation rather than have to break everything out into different kustomization files.

rdubya16 picture rdubya16 on 5 Dec 2018

Independent from #599, I think a secretGenerator that merges with or replaces an existing secret should keep the original namespace.

mxey picture mxey on 7 Dec 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

davidknezic picture davidknezic  路  3Comments
monopole picture monopole  路  3Comments
lionelvillard picture lionelvillard  路  4Comments
pst picture pst  路  4Comments
yujunz picture yujunz  路  5Comments