Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support kubernetes secret as secret manager in addition to raw and gcp #323

Closed
ffais opened this issue Mar 13, 2024 · 8 comments
Closed

Support kubernetes secret as secret manager in addition to raw and gcp #323

ffais opened this issue Mar 13, 2024 · 8 comments

Comments

@ffais
Copy link
Contributor

ffais commented Mar 13, 2024

Hi,
some operators for mysql write the root credentials in a secrets. Would it be possible to have these credentials read directly from secrets?

This could be an example:

apiVersion: mysql.nakamasato.com/v1alpha1
kind: MySQL
metadata:
  name: mysql-sample
spec:
  host: mysql.default # need to include namespace if you use Kubernetes Service as an endpoint.
  adminUser:
    name: mysqlSecret   # kubernetes secret name
    key: rootUser             # kubernetes secret key
    type: k8s
  adminPassword:
    name: mysqlSecret            # kubernetes secret name
    key: rootPassword             # kubernetes secret key
    type: k8s
@ffais ffais mentioned this issue Mar 26, 2024
Merged
@nakamasato
Copy link
Owner

Thank you! Great idea! Let's continue discussion in your PR!

@nakamasato
Copy link
Owner

Merged #330

@sprasad09
Copy link

sprasad09 commented Aug 21, 2024
edited
Loading

Hi @ffais @nakamasato Looks like the support for k8s secret has been merged. I am trying to read the credential from secrets but its failing, i am using the example yaml you had mentioned.
unknown field "key" in com.nakamasato.mysql.v1alpha1.MySQL.spec.adminPassword, ValidationError(MySQL.spec.adminUser): unknown field "key" in com.nakamasato.mysql.v1alpha1.MySQL.spec.adminUser];

what is the new yaml format to use? Thanks!

@ffais
Copy link
Contributor Author

ffais commented Aug 21, 2024
edited
Loading

Hi @sprasad09, I decided to make no changes to the yaml schema, to avoid breaking the other secrets manager.
You should create two secrets that contains the credentials of the mysql server, one for the username and another one for the password.
Like this:

kubectl create secret generic mysql-user --from-literal=key=mysql-username
kubectl create secret generic mysql-password --from-literal=key=mysql-password

This is an example yaml of k8s usage:

kind: MySQL
metadata:
  name: mysql-sample
spec:
  host: mysql.default # need to include namespace if you use Kubernetes Service as an endpoint.
  adminUser:
    name: mysql-user # secret name in SecretManager
    type: k8s
  adminPassword:
    name: mysql-password # secret name in SecretManager
    type: k8s```

Then

@sprasad09
Copy link

Hi @ffais Thanks for your reply. I followed your instruction. I keep getting this error the specified SecretManager type (k8s) doesn't exist

I have installed the mysql-operator as such kubectl apply -k https://github.com/nakamasato/mysql-operator/config/install

output of the mysql-sample

kind: MySQL
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"mysql.nakamasato.com/v1alpha1","kind":"MySQL","metadata":{"annotations":{},"name":"mysql-sample","namespace":"default"},"spec":{"adminPassword":{"name":"mysql-password","type":"k8s"},"adminUser":{"name":"mysql-user","type":"k8s"},"host":"mysql.default"}}
  creationTimestamp: "2024-08-22T06:49:12Z"
  finalizers:
  - mysql.nakamasato.com/finalizer
  generation: 1
  name: mysql-sample
  namespace: default
  resourceVersion: "872578003"
  selfLink: /apis/mysql.nakamasato.com/v1alpha1/namespaces/default/mysqls/mysql-sample
  uid: f50a443d-49bd-4d49-b08c-322f0cf66ebc
spec:
  adminPassword:
    name: mysql-password
    type: k8s
  adminUser:
    name: mysql-user
    type: k8s
  host: mysql.default
  port: 3306
status:
  dbCount: 0
  reason: the specified SecretManager type (k8s) doesn't exist
  userCount: 0``` 

  
  Any ideas? Thanks for your help!

@ffais
Copy link
Contributor Author

ffais commented Aug 22, 2024

Hi @sprasad09, add - --cloud-secret-manager=k8s to the args into the manager deployment.

Should be something like this:

     - args:
        - --leader-elect
        - --cloud-secret-manager=k8s

@sprasad09
Copy link

Hi @ffais I am getting the following error now. Wondering we have to specify the namespace where the secret is in somewhere?

ip-192-168-1-68:~ sprasad$ kubectl get mysql
NAME           HOST            ADMINUSER    CONNECTED   USERCOUNT   DBCOUNT   REASON
mysql-sample   mysql.default   mysql-user               0           0         Secret "mysql-password" not found

@ffais
Copy link
Contributor Author

ffais commented Aug 23, 2024

Hi @sprasad09,
you should set those variables in the deployment: WATCH_NAMESPACE and SECRET_NAMESPACE.

This is an example from the helm chart:

    {{- if eq .Values.adminUserSecretType "k8s" }}
        env:
          - name: WATCH_NAMESPACE
            value: {{ .Release.Namespace }}
          - name: SECRET_NAMESPACE
            value: {{ .Release.Namespace }}
        {{- end }}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sprasad09 @nakamasato @ffais