Creating Kubernetes secrets

Create a Kubernetes secret for IBM® Hybrid Cloud Mesh (Mesh). You can store your Kubernetes secrets in the internal secrets manager or the external secrets manager.

Before you begin

Before you create a Kubernetes secret, make sure that the following conditions are met:
  • Your Kubernetes or Red Hat® OpenShift® Container Platform cluster is running in your on-premises environment. The kubectl command is running.
  • You have access to your VMware or Kernel-based Virtual Machine (KVM) to orchestrate a virtual machine (VM) by using the VMware-based gateway image.

Procedure

  1. Prepare the credentials for your application cluster.
    Get the configuration YAML file by running a command like this:
    
    kubectl config view --minify --raw > <kube-config.yaml>
  2. Copy the configuration YAML file to your host, where you installed palmctl.
  3. Extract the secrets from the configuration YAML file by running a command like this:
    palmctl check kubeconfig -f <kube-config.yaml> --extract 
    

    You might see output similar to the following sample:

    api_end_point: https:0.0.0: <kube-config>
    secrets:
    - k8sClientToken
    - k8sCA
    

    The secrets are written to a file called secretData.json. To display the content of the secretData.json file, run a command like this:

    cat secretData.json | jq
  4. For secrets that are stored in an internal secrets manager, copy the values of k8sClientToken, k8sCA, and the other parameters from the secretData.json file that you got in step 3. Provide these values when you add a Kubernetes secret to the Mesh console.
  5. For secrets that are stored in an external secrets manager, create a Kubernetes secret in IBM Cloud®.
    To access the IBM Cloud Secret Manager and create a Kubernetes secret, complete the following steps:
    1. Log in to IBM Cloud console.
    2. Click Resource list, then click Security.
    3. Select the secret manager from the list to view its secrets, then click Add +.
    4. Select Key-value, then click Next.
    5. Enter a name, then click Next.
    6. Click Select file. Upload the key-value data from the secretData.json file that you generated in step 3.
    To get the path of the secret that you created, complete the following steps:
    1. In the IBM Cloud Secret Manager console, click the secret that you created.
    2. In the Details window, click Actions.
    3. Click Show snippet, then click Curl.
    4. Copy the path from the curl command.
  6. To add the Kubernetes secret to the Mesh console, complete the following steps:
    1. Log in to the Mesh console.
    2. Click Manage, then click Secrets.
    3. Click Register secret.
    4. Enter a name for your secret, then set the secret type to Kubernetes.
    5. If the secrets are stored in an internal secrets manager, enter the values of the parameters such as k8sCA (optional), k8sClientToken, K8sClientKey, and K8sClientCert that you got in step 3.
      Note: When you register secrets that use an internal secrets manager, you must provide either the k8sClientToken or the K8sClientKey that matches the K8sClientCert pair.

      If the secrets are stored in an external secrets manager, enter the path of the secret that you copied from the curl command in step 5.

    6. Click Register.