Quarks Secret

Generates Kubernetes secrets, for passwords, SSH keys and SSL certificates from within the cluster.

Description

A QuarksSecret lets you automatically generate secrets such as passwords, certificates and ssh keys, to ease management of credentials in Kubernetes.

Installation

Add the quarks repository to helm if you haven’t already:

1
helm repo add quarks https://cloudfoundry-incubator.github.io/quarks-helm/

The simplest way to install the latest release of Quarks Secret, is by using helm 3 with the default values:

1
2
kubectl create namespace quarks
helm install qsecret quarks/quarks-secret --namespace quarks

The operator will watch for QuarksSecret resources in a separate namespace from the one it has been deployed to. By default, it creates a namespace staging and starts watching it.

A complete list of the chart settings is available here.

Upgrade

Can be managed as a standard helm package:

1
helm upgrade --namespace quarks qsecret quarks/quarks-secret

so just be sure to keep your customization in a values file

Watching multiple namespaces

By default the component will watch for resources created in the staging namespace, but it can be configured to watch over multiple namespaces.

Refer to the quarks-operator instructions as they are shared between all the Quarks components.

Overview of Quarks Secret

A QuarkSecret is a Kubernetes Object that contains instuctions on the type of Kubernetes Secret that must be generated which can be later referenced in a Pod.

For instance, to generate a basic auth password, we can apply the following yaml with kubectl:

1
2
3
4
5
6
7
apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
  name: generate-password
spec:
  type: password
  secretName: gen-secret1
Complete source code: https://github.com/cloudfoundry-incubator/quarks-secret/blob/master/docs/examples/password.yaml

the type field denotes the type of secret that should be generated, currently quarks-secret supports the following types:

  • password
  • certificate
  • ssh
  • rsa
  • basic-auth
  • dockerconfigjson
  • copy

Generate credentials

QuarksSecret can be used to generate passwords, certificates and keys. It uses the cfssl package to generate these. The generated values are stored in kubernetes secrets.

Certificates

Example of a QuarksSecret which generates a Kubernetes secret containing a certificate:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
---
apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
  name: generate-certificate
spec:
  request:
    certificate:
      alternativeNames:
        - foo.com
        - '*.foo.com'
      commonName: routerSSL
      isCA: false
      signerType: cluster
  secretName: gen-certificate
  type: certificate
Complete source code: https://github.com/cloudfoundry-incubator/quarks-secret/blob/master/docs/examples/certificate.yaml

The example can be applied to the namespace where the operator is watching for resources ( staging by default )

RSA keys

1
2
3
4
5
6
7
apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
  name: generate-rsa-keys-example
spec:
  secretName: rsa-keys-1
  type: rsa
Complete source code: https://github.com/cloudfoundry-incubator/quarks-secret/blob/master/docs/examples/rsa.yaml

Basic Authentication

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
  name: generate-basic-auth-1
spec:
  type: basic-auth
  secretName: gen-secret-basic-with-user
  request:
    basic-auth:
      username: my-user
---
apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
  name: generate-basic-auth-2
spec:
  type: basic-auth
  secretName: gen-secret-basic
Complete source code: https://github.com/cloudfoundry-incubator/quarks-secret/blob/master/docs/examples/basic-auth.yml

Rotate credentials

The generated credentials can be rotated by specifying its quarkssecret’s name in a configmap. The configmap must have the labelquarks.cloudfoundry.org/secret-rotation, for example as you can see in Line 7:

1
2
3
4
5
6
7
8
9
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: rotate
  labels:
    quarks.cloudfoundry.org/secret-rotation: "true"
data:
  secrets: '["generate-password"]'
Complete source code: https://github.com/cloudfoundry-incubator/quarks-secret/blob/master/docs/examples/rotate.yaml

Approve Certificates

In the case, where a certificate is generated, the QuarksSecret ensures that a certificate signing request is generated and is approved by the Kubernetes API server.

Secret copy

The Quarks Secret operator can generate also copies in multiple namespaces while generating secrets.

For example, while generating passwords:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
---
apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
  name: copy-user
spec:
  type: password
  secretName: gen-secret
  copies:
  - name: copied-secret
    namespace: COPYNAMESPACE
Complete source code: https://github.com/cloudfoundry-incubator/quarks-secret/blob/master/docs/examples/copy.yaml

It can be specified a list of copying target, with copies:

1
2
3
  copies:
  - name: copied-secret
    namespace: namespace1

And each destination which is indicated needs to have a Quarks Secret of copy in the following form:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
---
apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
  labels:
    quarks.cloudfoundry.org/secret-kind: generated
  annotations:
    quarks.cloudfoundry.org/secret-copy-of: NAMESPACE/copy-user
  name: copied-secret
  namespace: COPYNAMESPACE
spec:
  type: copy
  secretName: copied-secret
Complete source code: https://github.com/cloudfoundry-incubator/quarks-secret/blob/master/docs/examples/copy-qsecret-destination.yaml

The examples copies the generated gen-secret secret content into copied-secret inside the COPYNAMESPACE namespace.

Examples

The examples directory on Github.

Last modified September 3, 2020: Change URL to quarks-v6 (a286c04)