1

I'm new to Kubernetes and I have a use case where I want to read data from another deployment.

In the following file, the the RabbitmqCluster creates a default user. I want to extract the credentials of that user into a secret for use in other services that need to publish or subscribe to that broker:

apiVersion: rabbitmq.com/v1beta1
kind: RabbitmqCluster
metadata:
    name: broker
---
apiVersion: v1
kind: Secret
metadata:
    name: broker-credentials-secret
type: Opaque
stringData:
    username: $BROKER_USER # Available at $(kubectl get secret broker-default-user -o jsonpath='{.data.username}' | base64 --decode)
    password: $BROKER_PASSWORD # Available at $(kubectl get secret broker-default-user -o jsonpath='{.data.password}' | base64 --decode)

My first thought was to separate into two different files, I could wait for the cluster to be ready and then sed the BROKER_PASSWORD and BROKER_USER variables into the second config that then deploys the secret.

My question is: is there a proper way to handle this scenario? Should I just separate these two into two different files and write documentation about their intended order of deployment? Or is there a better way of doing this?

Wytrzymały Wiktor
  • 11,492
  • 5
  • 29
  • 37
jokarl
  • 1,913
  • 2
  • 24
  • 52

1 Answers1

1

Your thinking and approach is correct, this way (splitting into two files) seems to be the best option in this case - there is no way to dynamically set values in Kubernetes YAML from the other running Kubernetes resource. Keep in mind that for a secret definition you don't have to use the stringData and base64 --decode command in kubectl. It does not make any sense to decode values when they will be encoded again - better just read values in base64 string and use data instead of stringData - check this. Finally all should look like:

file-1.yaml:

apiVersion: rabbitmq.com/v1beta1
kind: RabbitmqCluster
metadata:
    name: broker

file-2.yaml:

apiVersion: v1
kind: Secret
metadata:
    name: broker-credentials-secret
type: Opaque
data:
    username: BROKER_USER
    password: BROKER_PASSWORD

Then you can run this one-liner (with sed commands + using pipes . I also deleted $ signs in second yaml so sed commands work properly):

kubectl apply -f file-1.yaml && sed -e "s/BROKER_USER/$(kubectl get secret broker-default-user -o jsonpath='{.data.username}')/g" -e "s/BROKER_PASSWORD/$(kubectl get secret broker-default-user -o jsonpath='{.data.password}')/g" file-2.yaml | kubectl apply -f -
Mikolaj S.
  • 2,850
  • 1
  • 5
  • 17
  • 1
    Thank you for the detailed answer. Great to supply the file from stdin to avoid having passwords in the file! – jokarl Oct 28 '21 at 12:46