Create a Kubernetes secret for IBM® Hybrid Cloud Mesh (Mesh). You can store your Kubernetes secrets in the internal secrets
manager or the external secrets manager.
Before you begin
Before you create a Kubernetes secret, make sure that the following conditions are met:
- Your Kubernetes or Red Hat® OpenShift® Container Platform cluster is running in your on-premises
environment. The
kubectl
command is running.
- You have access to your VMware or Kernel-based Virtual
Machine (KVM) to orchestrate a virtual machine (VM) by using the VMware-based gateway image.
Procedure
-
Prepare the credentials for your application cluster.
Get the configuration YAML file by running a command like
this:
kubectl config view --minify --raw > <kube-config.yaml>
-
Copy the configuration YAML file to your host, where you installed
palmctl
.
- Extract the secrets from the configuration YAML file by running a command like
this:
palmctl check kubeconfig -f <kube-config.yaml> --extract
You might see output similar to the following sample:
api_end_point: https:0.0.0: <kube-config>
secrets:
- k8sClientToken
- k8sCA
The secrets are written to a file called secretData.json
. To display the content
of the secretData.json
file, run a command like this:
cat secretData.json | jq
- For secrets that are stored in an internal secrets manager, copy the values of
k8sClientToken
, k8sCA
, and the other parameters from the
secretData.json file that you got in step 3.
Provide these values when you add a Kubernetes secret to the Mesh console.
-
For secrets that are stored in an external secrets manager, create a Kubernetes secret in
IBM Cloud®.
To access the
IBM Cloud Secret Manager and create a Kubernetes secret,
complete the following steps:
- Log in to IBM Cloud console.
- Click Resource list, then click Security.
- Select the secret manager from the list to view its secrets, then click Add
+.
- Select Key-value, then click Next.
- Enter a name, then click Next.
- Click Select file. Upload the key-value data from the
secretData.json file that you generated in step 3.
To get the path of the secret that you created, complete the following steps:
- In the IBM Cloud Secret Manager console, click the secret that you
created.
- In the Details window, click Actions.
- Click Show snippet, then click Curl.
- Copy the path from the
curl
command.
- To add the Kubernetes secret to the Mesh console, complete the following
steps:
- Log in to the Mesh console.
- Click Manage, then click Secrets.
- Click Register secret.
- Enter a name for your secret, then set the secret type to Kubernetes.
-
If the secrets are stored in an internal secrets manager, enter the values of the parameters such
as
k8sCA
(optional),
k8sClientToken
,
K8sClientKey
, and
K8sClientCert
that you got in step
3.
Note: When you register secrets that use an internal secrets manager,
you must provide either the k8sClientToken
or the K8sClientKey
that matches the K8sClientCert
pair.
If the secrets are stored in an external secrets manager, enter the path of the secret that you
copied from the curl
command in step 5.
- Click Register.