Creating Kubernetes secrets

Create Kubernetes secret for IBM Hybrid Cloud Mesh (Mesh).

Before you begin

  • Make sure that your Kubernetes or Red Hat® OpenShift® Container Platform cluster is up in your on-premises environment and Kubectl command is running.
  • Make sure that you have access to your VMware or Kernel-based Virtual Machine (KVM) to orchestrate a virtual machine (VM) by using the VMware-based gateway image.

Procedure

  1. Prepare your application cluster credentials.
    Get the kubeconfig file from the cluster VM.
    cd 
    kubectl config view --minify --raw > <kube-config-file.yaml>
    
    Example:
    kubectl config view --minify --raw > xyz.yaml 
  2. Extract the secrets as a secretData.json file.
    Copy the kube-config-file.yaml file from the first step locally to your host, where you installed palmctl. Run this command to extract the Kubernetes secret:
    palmctl check kubeconfig -f kube-config-file.yaml --extract 
    
    Example:
    % palmctl check kubeconfig -f xyz.yaml --extract  
    api_end_point: https:0.0.0: xyz
    secrets:
    - k8sClientToken
    - k8sCA
    
    % cat secretData.json | jq
    {
      "k8sCA": "xxxxxxxxxxxxxxx",
      "k8sClientToken": "xxxxxxxxxxxxx"
    }
  3. For secrets stored in an external IBM secret manager, create a Kubernetes secret in IBM Cloud.
    Complete the following steps to access the IBM Secret Manager and create a Kubernetes secret:
    1. Log in to IBM Cloud console.
    2. Click Resource list.
    3. Scroll down and expand the Security option.
    4. Select the secret manager from the list displayed to view the secrets.
    5. Click Add +.
    6. Select Key-value and click Next.
    7. Provide a name and click Next
    8. Click Select file.
    9. Upload the key-value data from the secretData.json file generated in the previous step.
  4. Add the Kubernetes secret to the Mesh console.
    Complete the following steps to add the Kubernetes secret:
    1. On the Mesh console, go to Admin.
    2. Select Secrets from the Admin drop-down.
    3. On the Secretspage, click Register secret.
    4. Provide a secret Name.
    5. Set the secret type to Kubernetes.
    6. Provide the path to the secret as explained in the next steps.
  5. To get the secret path, follow these steps:
    1. In the IBM Secrets Manager console, click the secret that you created.
    2. In the Details side-window, click Actions.
    3. Click Show snippet.
    4. Click Curl.
    5. Copy the URL from the curl command.

    For secrets created that use an external secret manager, provide the path that you copied when you registered the secret.

  6. For secrets created that use the internal secret manager, provide the value of k8sCA, k8sClientToken, and the other parameters from the secretData.json file. Add the details that you extracted to the Mesh console as explained in the next steps:
    1. On the Mesh console, go to Admin.
    2. Select Secrets from the Admin drop-down.
    3. On the Secrets page, click Register secret. For secrets created that use the internal secret manager, IBM Hybrid Cloud Mesh secrets manager displays in the Stored in field.
    4. Provide a secret name and choose the secret type as Kubernetes.
    5. Provide the value of parameters such as K8Ca (optional), k8sClientToken, K8sClientKey, and K8sClientCert that you extracted earlier.
    Note: To register secrets that use the internal secret manager in the Mesh console, you must provide either the k8sClientToken or the K8sClientKey to match the K8sClientCert pair.