Connect to Kubernetes Secrets

This article describes how to connect Kubernetes Secrets  as a secret store to your Humanitec Operator setup.

Before you begin #

Before you begin, make sure you have the following resources and permissions:

• A Kubernetes namespace, where your K8s secrets are stored, is in the same Kubernetes cluster with the Humanitec Operator.
• Access to the cluster via kubectl.

Prepare your environment #

1. Define an ID for your secret store. This ID will later match the secret store registrations in the Humnanitec Operator and in the Platform Orchestrator.

export SECRET_STORE_ID=my-k8s-store

2. Define the namespace where you’ll store your K8s Secrets.

export SECRETS_NAMESPACE=my-secrets

3. The Humanitec Operator runs using a service account which already has all required permissions to access Secrets in the cluster.

Register the secret store with the Operator #

1. Create the secret store registration using the following command. Modify it according to your setup:

• If this is not your default secret store, omit the label app.humanitec.io/default-store (What is the default secret store?).

kubectl apply -f - << EOF
apiVersion: humanitec.io/v1alpha1
kind: SecretStore
metadata:
  name: ${SECRET_STORE_ID}
  namespace: humanitec-operator-system
  labels:
    app.humanitec.io/default-store: "true"
spec:
  kubernetes:
    namespace: ${SECRETS_NAMESPACE}
EOF

2. Confirm the secret store registration.

To confirm the secret store registration, and anytime you wish to check for registered secret stores, use the following command:

kubectl get secretstores -n humanitec-operator-system

Register the secret store with the Platform Orchestrator #

The Platform Orchestrator does not support writing secrets with Kubernetes Secrets as a Secret Store. This means that a user can not save their secrets using the Platform Orchestrator and needs to use secret references.

Create secrets #

Use regular Kubernetes mechanisms to create and maintain secrets. A Kubernetes secret  may contain one or more secret values. E.g. to create a secret containing two secret values, use this command:

kubectl create secret generic mysql-secrets \
    --from-literal=mysql-username='super secret username' \
    --from-literal=mysql-password='super secret password' \
    --namespace=secrets-namespace

Resource Cookies #

Resource cookies are stored in Kubernetes Secrets having names according to this pattern:

<resource-gures-id>.cookies.<driver-org>.<driver-id>

and a secret key named value inside it.

Limitations #

The Kubernetes secret store has the following limitations:

• It does not support secret versioning. Only one version of a secret value can be maintained at any time, and any version named in a secret reference will be ignored. To maintain and restore previous values, you will have to create the appropriate processes yourself.

Next steps #

• Test the Humanitec Operator installation using these test cases.
• Perform the Update Resource Definitions for related Applications tutorial to verify your setup.
  • Ensure the sample Applications are being deployed to your Orchestrator-enabled cluster by adjusting the matching criteria for the cluster Resource.
  • Observe how custom resources of type workload and resource are being created on the cluster, and check their status sections.
  • Observe how the Operator writes operational state (“resource cookies”) into your default secret store.