Our setup is using Google Secret Manager as we are already in the Google Cloud platform. With Jenkins-X 3, it is easier to manage secrets without even knowing the internal details about the secret storage. The Secrets guide should already be enough but I’d like to share how we set it up in our project.
Under the hood, Jenkins-X uses external secrets to sync secrets from storage into Kubernetes secrets.
Create secret into a namespace
Let’s start creating a secret into a specific namespace, for example:
jx-staging. In Jenkins-X 3, creating a secret is the same as creating any kubernetes resource. In your cluster git repository, add the following directory structure at the repo root directory.
charts\ - staging-secrets\ - templates\ - app-mongodb-staging.yaml - Chart.yaml
Here, we are trying to create a secret for our application’s MongoDB replica set. We name it
staging-secrets because we are planning to add more secrets to it for other applications and it is a good way to group these resources.
The content of
app-mongodb-staging.yaml looks like this:
# app-mongodb-staging.yaml apiVersion: v1 data: mongodb-password: "" mongodb-root-password: "" mongodb-replica-set-key: "" kind: Secret metadata: name: app-mongodb-staging type: Opaque
We don’t have to put the content into the file. We can populate it later.
Next, we need to populate
Chart.yaml. It looks like this.
# Chart.yaml apiVersion: v1 description: A Helm chart for staging secrets name: staging-secrets version: 0.0.1 appVersion: 0.0.1 icon: https://avatars.githubusercontent.com/u/114853 home: https://github.com/lysender
Now, we are ready to use our charts. Add the following lines into the
releases section of
helmfile.yaml which is located at the root of the cluster git repository.
# helmfile.yaml releases: - chart: ./charts/staging-secrets name: staging-secrets namespace: jx-staging
When ready, create a pull request and merge it to apply the changes.
This whole process does not create the secret yet. It creates the external secret which can be listed by running:
kubectl get es -n jx-staging
You should be able to see
app-mongodb-staging entry. It should also show an error status saying the secret is not yet populated or something.
Populate the value by running:
# Switch namespace first jx ns jx-staging # Edit secret jx secret edit -f app-mongodb-staging
You should be prompted to enter the 3 secret values for
app-mongodb-staging. It should get synced after 1 minute.
# List external secrets kubectl get es -n jx-staging # List secrets synced by external secrets kubectl get secrets -n jx-staging
You should see the secret and the contents after this. With secret already synced, we can use this secret in our MongoDB helm chart.
Replicate a secret into all namespaces
If your requirement is to have a secret replicated into all namespaces, it is easy to do with Jenkins-X 3. In the following example, we wanted to create a secret for our MongoDB for preview environments. Since we cannot target a specific namespace for preview environment, we used the secret replication to solve this issue.
This means that the secrets replicated to staging and production would be useless and costs us more if we are using something like Google Secret Manager. Let me know if you know a trick for creating temporary secrets for preview environments.
We need to add another chart under
charts directory and we will call it
charts\ - development-secrets\ - templates\ - app-mongodb-development.yaml - Chart.yaml - staging-secrets\ ...
The content for
app-mongodb-development.yaml looks like this:
# app-mongodb-development.yaml apiVersion: v1 data: mongodb-password: "" mongodb-root-password: "" mongodb-replica-set-key: "" kind: Secret metadata: name: app-mongodb-development labels: secret.jenkins-x.io/replica-source: "true" type: Opaque
It’s almost the same as the staging secrets. We just added the label
to enable secret replication.
We will add it to the
jx namespace instead as it will be replicated to all namespaces anyway.
releases: - chart: ./charts/development-secrets name: development-secrets namespace: jx - chart: ./charts/staging-secrets name: staging-secrets namespace: jx-staging
Once merged and applied, populate the secret starting from the
# Switch namespace jx ns jx # Populate secret now jx secret edit -f app-mongodb-development
You will be prompted multiple times depending on how many namespaces the secret is replicated into. Just enter the same value every time.
If you know a trick on how to create a temporary secret to be used only in preview environments, do let me know. This will save us some Google Secret Manager cost.
Featured image by PhotoMIX Company.