0

I am new to kubernetes and trying to add root certs to my existing secrets truststore.jks file. Using get secret mysecret -o yaml. I am able to view the details of truststore file inside mysecret but not sure how to replace with new truststore file or to edit the existing one with latest root certs. Can anyone help me to get the correct command to do this using kubectl?

Thanks

Anshu
  • 69
  • 2
  • 18
  • How did you create your existing secret from `truststore.jks`? Did you try to edit it by running command `kubectl edit secret mysecret`? – Dawid Kruk Feb 19 '20 at 09:55
  • @DawidKruk I have got mysecret yaml file and I can see there is old truststore.jks file is present but not sure how to add my new truststore.jks file into existing yaml file. – Anshu Feb 19 '20 at 15:42
  • Could you paste your existing `YAML` to your question (with obfuscated sensitive data)? – Dawid Kruk Feb 20 '20 at 11:14

1 Answers1

1

A Secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. There is an official documentation about Kubernetes.io: Secrets.

Assuming that you created your secret by:

$ kubectl create secret generic NAME_OF_SECRET --from-file=keystore.jks

You can edit your secret by invoking command:

$ kubectl edit secret NAME_OF_SECRET

It will show you YAML definition similar to this: 

apiVersion: v1
data:
  keystore.jks: HERE_IS_YOUR_JKS_FILE
kind: Secret
metadata:
  creationTimestamp: "2020-02-20T13:14:24Z"
  name: NAME_OF_SECRET
  namespace: default
  resourceVersion: "430816"
  selfLink: /api/v1/namespaces/default/secrets/jks-old
  uid: 0ce898af-8678-498e-963d-f1537a2ac0c6
type: Opaque

To change it to new keystore.jks you would need to base64 encode it and paste in place of old one (HERE_IS_YOUR_JKS_FILE)

You can get a base64 encoded string by: cat keystore.jks | base64

After successfully editing your secret it should give you a message: secret/NAME_OF_SECRET edited

Also you can look on this StackOverflow answer

It shows a way to replace existing configmap but with a little of modification it can also replace a secret!

Example below:

  • Create a secret with keystore-old.jks:

    $ kubectl create secret generic my-secret --from-file=keystore-old.jks

  • Update it with keystore-new.jks:

    $ kubectl create secret generic my-secret --from-file=keystore-new.jks -o yaml --dry-run | kubectl replace -f -

Treating keystore.jks as a file allows you to use a volume mount to mount it to specific location inside a pod.

Example YAML below creates a pod with secret mounted as volume: 

apiVersion: v1
kind: Pod
metadata:
  name: ubuntu
spec:
  containers:
  - name: ubuntu
    image: ubuntu
    command:
      - sleep
      - "360000"
    volumeMounts:
    - name: secret-volume
      mountPath: "/etc/secret"
  volumes:
  - name: secret-volume
    secret:
      secretName: NAME_OF_SECRET

Take a specific look on: 

    volumeMounts:
    - name: secret-volume
      mountPath: "/etc/secret"
  volumes:
  - name: secret-volume
    secret:
      secretName: NAME_OF_SECRET

This part will mount your secret inside your /etc/secret/ directory. It will be available there with a name keystore.jks

A word about mounted secrets:

Mounted Secrets are updated automatically

When a secret currently consumed in a volume is updated, projected keys are eventually updated as well. The kubelet checks whether the mounted secret is fresh on every periodic sync.

-- Kubernetes.io: Secrets.

Please let me know if you have any questions regarding that.

Dawid Kruk
  • 8,982
  • 2
  • 22
  • 45