Monday, 31 December 2018

Shush, it's a secret ....

Fiddling about with IBM Cloud Private (ICP) and IBM Cloud Automation Manager (CAM), one of the pre-requisites required me to "cache" my Docker Store credentials in a Kubernetes (K8S) secrets: _

Creating Docker Store secret

The syntax is thus: -

   kubectl create secret docker-registry --docker-username= --docker-password= --docker-email= -n services

So off I went ....

The first hurdle was that my Docker password has special characters, including an ampersand ( & ), which broke the kubectl command; shells tend NOT to like ampersands in commands :-)

That was easily resolved - I just wrapped my password in double quotes ( " ), which resolved THAT particular issue.

I was using a randomly generated secret name, for no particular reason: -


I then hit this: -

The Secret "DitYPtiansUP" is invalid: Invalid value: "DitYPtiansUP": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. '', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')

which didn't really help ....

I dug into the K8S documentation: -

and then looked at the existing secrets on my ICP cluster: -

kubectl get secrets

NAME                  TYPE                                  DATA      AGE
default-token-rvscx   3         2d
infra-registry-key        1         2d

which gave me a clue ...

It looks like the secret name needs to be formatted thusly: -

  • lower-case
  • separated with a hyphen ( - ) or full stop / period ( . )
Therefore, I went for the path of least resistance, and used my name as my secret: -


which did the job.

One other thing ....

This: -

kubectl get secrets

NAME                  TYPE                                  DATA      AGE
default-token-rvscx   3         2d
infra-registry-key        1         2d

didn't show up my newly created secret, even though I knew it was there; I tried to create it again, and saw this: -

Error from server (AlreadyExists): secrets "david-hay" already exists

Thankfully, I realised where I was going wrong - it's all in the namespace ....

My newly created secret was placed in the services namespace, so I needed to look specifically at that: -

kubectl get secrets -n services

NAME                  TYPE                                  DATA      AGE
david-hay           1         11m
default-token-nnz4v   3         2d
oauth-client-secret   Opaque                                2         2d

For the record, here's how to find the namespaces: -

kubectl get namespaces

NAME           STATUS    AGE
cert-manager   Active    2d
default        Active    2d
ibmcom         Active    2d
istio-system   Active    2d
kube-public    Active    2d
kube-system    Active    2d
platform       Active    2d
services       Active    2d

I could've done this: -

kubectl get secrets --all-namespaces=true

NAMESPACE      NAME                                                        TYPE                                  DATA      AGE
cert-manager   default-token-rvscx                                  3         2d
cert-manager   infra-registry-key                                        1         2d
default        default-token-kj5xp                                  3         2d
ibmcom         default-token-5vhkl                                  3         2d
ibmcom         infra-registry-key                                        1         2d
ibmcom         sa-ibmcom                                                 1         2d
services       david-hay                                                 1         16m
services       default-token-nnz4v                                  3         2d
services       oauth-client-secret                                         Opaque                                2         2d

No comments: