Kustomize: Kustomize in combination with existing SealedSecrets and name prefix/suffix

Created on 10 Feb 2020  路  6Comments  路  Source: kubernetes-sigs/kustomize

While there is an open issue for SealedSecret support (#702), it seems to be focused on generating sealed secrets from files, rather than using existing sealed secrets.

The issue I'm currently facing is as follows:
I have the following files (see below for abbreviated file content):

  • SealedSecret .json files
  • a deployment.yaml and an ingress.yaml referencing the secrets contained within those SealedSecrets
  • a kustomization.yaml with a nameSuffix.

Both the SealedSecret and the generated Secret have the correct suffix, but the references in the deployment/ingress objects retain the unmodified secret references, instead of appending the suffix to those as well.

Is there a way to prevent the '-staging' suffix to be attached to specific files or the SealedSecret type in general (this would also forgo the need to add the "sealedsecrets.bitnami.com/namespace-wide": "true" annotation to allow renaming of secrets defined within sealed secrets)?
For now, I'm using a patch defined in my kustomization.yaml to ovewrite the references to the secrets and add the suffix manually, but I'm wondering if there's an easier way to handle this problem?

base files:

kustomization.yaml

resources:
- deployment.yaml
- sealedsecret.json
nameSuffix: '-staging'

sealedSecret.json

{
  "kind": "SealedSecret",
  "apiVersion": "bitnami.com/v1alpha1",
  "metadata": {
    "name": "mysecret",
    [...]
    "annotations": {
      "sealedsecrets.bitnami.com/namespace-wide": "true"
    }
  },
  [...]
}

deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  [...]
  name: my-deployment
spec:
  [...]
  template:
    [...]
    spec:
      [...]
      volumes:
      - name: mysecret-volume
        secret:
          secretName: mysecret
lifecyclrotten
Source
picture lanmarti

Most helpful comment

Another approach that allows kustomize to properly replace sealed secrets names is to create a Custom Resource Definition (actually a Name reference transformer) to detail all the possible fields that can refer to a SealedSecret in your application.

The CRD definition for your example should be (in base/kustomizeconfig/sealedsecret.yaml file):

nameReference:
- kind: SealedSecret
  fieldSpecs:
  # Deployment references
  - path: spec/template/spec/volumes/secret/secretName
    kind: Deployment
  # Add all kind/paths  depending on which resources use your sealed secrets

Then in your base/kustomization.yaml add the reference to the configuration

configurations:
- kustomizeconfig/sealedsecret.yaml

You should be able to follow the same approach for common labels. Here is a tutorial for Supporting Custom Resources

picture rodrigo-molina on 18 Mar 2020
👍3

All 6 comments

As a small aside: while name prefix/suffix is applied to the Sealed Secrets and the corresponding Secrets, common labels are not applied.

lanmarti picture lanmarti on 10 Feb 2020

Another approach that allows kustomize to properly replace sealed secrets names is to create a Custom Resource Definition (actually a Name reference transformer) to detail all the possible fields that can refer to a SealedSecret in your application.

The CRD definition for your example should be (in base/kustomizeconfig/sealedsecret.yaml file):

nameReference:
- kind: SealedSecret
  fieldSpecs:
  # Deployment references
  - path: spec/template/spec/volumes/secret/secretName
    kind: Deployment
  # Add all kind/paths  depending on which resources use your sealed secrets

Then in your base/kustomization.yaml add the reference to the configuration

configurations:
- kustomizeconfig/sealedsecret.yaml

You should be able to follow the same approach for common labels. Here is a tutorial for Supporting Custom Resources

rodrigo-molina picture rodrigo-molina on 18 Mar 2020
👍3

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot picture fejta-bot on 16 Jun 2020

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

fejta-bot picture fejta-bot on 16 Jul 2020

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

fejta-bot picture fejta-bot on 15 Aug 2020

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot picture k8s-ci-robot on 15 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mgoodness picture mgoodness  路  4Comments
sidps picture sidps  路  5Comments
wuestkamp picture wuestkamp  路  3Comments
pst picture pst  路  4Comments
nicks picture nicks  路  3Comments