1

I've got a problem that I cannot solve nicely it seems. I've got a Kubernetes cluster running on GCP and a custom HELM chart helm/foo. I have multiple instances of the chart running with different names and need to change it so it each runs in its own namespace. Not really hard as it's just a parameter to helm:

helm install --name bar --namespace bar helm/foo

Inside the chart there are several things, among them a deployment with an imagePullSecret provided:

imagePullSecret: scrt

This works nicely when deploying to default namespace, or rather, the same namespace as the secret is located in. But fails when a namespace is provided as the namespace "bar" doesn't have access to "scrt" which is in default namespace.

To solve this many sources do something like here: https://stackoverflow.com/questions/46297949/kubernetes-sharing-secret-across-namespaces where the secret is copied between namespaces. This is a fine solution if you have a script running the whole show but no feasible for me as N instances of chart helm/test are deployed by Terraform.

So my question is: how can I create a new imagePullSecret from an existing one using only helm/yaml? I could package the json file in the chart but would like to avoid having secrets outside of K8.

Thanks!

Dariop
  • 111
  • 5

1 Answers1

1

Short answer: You should not.

You should go over Declarative Management of Kubernetes Objects Using Configuration Files, that might help you understand how to use Kubernetes.

Kubernetes objects can be created, updated, and deleted by storing multiple object configuration files in a directory and using kubectl apply to recursively create and update those objects as needed. This method retains writes made to live objects without merging the changes back into the object configuration files.

Normally it's not possible because as you pointed from Kubernetes - sharing secret across namespaces , secret is bound to a namespace and can only be referenced from within this namespace.

There might be a workaround to achieve that, but I don't think You would be interested. Workaround would need to spawn a Container with admin privileges and use it to execute the command:

kubectl get secret test-secret --namespace=default --export -o yaml | kubectl apply --namespace=prod -f

Of course you will need to create special RBAC, for each namespace to run this privileged pod.

I strongly advice against it, but it could be done this way.

Crou
  • 714
  • 3
  • 9
  • I solved it using this (https://github.com/kiwigrid/helm-charts/tree/master/charts/gcp-serviceaccount-controller) controller and applying custom yaml files using the helm package. Thanks though – Dariop Mar 05 '19 at 11:12