Creating Kubernetes secrets
Create Kubernetes secret for IBM Hybrid Cloud Mesh (Mesh).
Before you begin
- Make sure that your Kubernetes or Red Hat® OpenShift® Container Platform cluster is
up in your on-premises environment and
Kubectl
command is running. - Make sure that you have access to your VMware or Kernel-based Virtual Machine (KVM) to orchestrate a virtual machine (VM) by using the VMware-based gateway image.
Procedure
-
Prepare your application cluster credentials.
Get the
kubeconfig file
from the cluster VM.cd kubectl config view --minify --raw > <kube-config-file.yaml> Example: kubectl config view --minify --raw > xyz.yaml
-
Extract the secrets as a secretData.json file.
Copy the kube-config-file.yaml file from the first step locally to your host, where you installed
palmctl
. Run this command to extract the Kubernetes secret:palmctl check kubeconfig -f kube-config-file.yaml --extract Example: % palmctl check kubeconfig -f xyz.yaml --extract api_end_point: https:0.0.0: xyz secrets: - k8sClientToken - k8sCA % cat secretData.json | jq { "k8sCA": "xxxxxxxxxxxxxxx", "k8sClientToken": "xxxxxxxxxxxxx" }
-
For secrets stored in an external IBM secret manager, create a Kubernetes secret in IBM Cloud.
Complete the following steps to access the IBM Secret Manager and create a Kubernetes secret:
- Log in to IBM Cloud console.
- Click Resource list.
- Scroll down and expand the Security option.
- Select the secret manager from the list displayed to view the secrets.
- Click Add +.
- Select Key-value and click Next.
- Provide a name and click Next
- Click Select file.
- Upload the key-value data from the secretData.json file generated in the previous step.
- Add the Kubernetes secret to the Mesh
console. Complete the following steps to add the Kubernetes secret:
- On the Mesh console, go to Admin.
- Select Secrets from the Admin drop-down.
- On the Secretspage, click Register secret.
- Provide a secret Name.
- Set the secret type to Kubernetes.
- Provide the path to the secret as explained in the next steps.
- To get the secret path, follow these steps:
- In the IBM Secrets Manager console, click the secret that you created.
- In the Details side-window, click Actions.
- Click Show snippet.
- Click Curl.
- Copy the URL from the curl command.
For secrets created that use an external secret manager, provide the path that you copied when you registered the secret.
- For secrets created that use the internal secret manager, provide the value of
k8sCA
,k8sClientToken
, and the other parameters from the secretData.json file. Add the details that you extracted to the Mesh console as explained in the next steps:- On the Mesh console, go to Admin.
- Select Secrets from the Admin drop-down.
- On the Secrets page, click Register secret. For secrets created that use the internal secret manager, IBM Hybrid Cloud Mesh secrets manager displays in the Stored in field.
- Provide a secret name and choose the secret type as Kubernetes.
- Provide the value of parameters such as
K8Ca
(optional),k8sClientToken
,K8sClientKey
, andK8sClientCert
that you extracted earlier.
Note: To register secrets that use the internal secret manager in the Mesh console, you must provide either thek8sClientToken
or theK8sClientKey
to match theK8sClientCert
pair.