Monday, 31 December 2018

Shush, it's a secret ....

Fiddling about with IBM Cloud Private (ICP) and IBM Cloud Automation Manager (CAM), one of the pre-requisites required me to "cache" my Docker Store credentials in a Kubernetes (K8S) secrets: _

Creating Docker Store secret

The syntax is thus: -

   kubectl create secret docker-registry --docker-username= --docker-password= --docker-email= -n services

So off I went ....

The first hurdle was that my Docker password has special characters, including an ampersand ( & ), which broke the kubectl command; shells tend NOT to like ampersands in commands :-)

That was easily resolved - I just wrapped my password in double quotes ( " ), which resolved THAT particular issue.

I was using a randomly generated secret name, for no particular reason: -

DitYPtiansUP

I then hit this: -

The Secret "DitYPtiansUP" is invalid: metadata.name: Invalid value: "DitYPtiansUP": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')

which didn't really help ....

I dug into the K8S documentation: -


and then looked at the existing secrets on my ICP cluster: -

kubectl get secrets

NAME                  TYPE                                  DATA      AGE
default-token-rvscx   kubernetes.io/service-account-token   3         2d
infra-registry-key    kubernetes.io/dockerconfigjson        1         2d

which gave me a clue ...

It looks like the secret name needs to be formatted thusly: -

  • lower-case
  • separated with a hyphen ( - ) or full stop / period ( . )
Therefore, I went for the path of least resistance, and used my name as my secret: -

david-hay

which did the job.

One other thing ....

This: -

kubectl get secrets

NAME                  TYPE                                  DATA      AGE
default-token-rvscx   kubernetes.io/service-account-token   3         2d
infra-registry-key    kubernetes.io/dockerconfigjson        1         2d

didn't show up my newly created secret, even though I knew it was there; I tried to create it again, and saw this: -

Error from server (AlreadyExists): secrets "david-hay" already exists

Thankfully, I realised where I was going wrong - it's all in the namespace ....

My newly created secret was placed in the services namespace, so I needed to look specifically at that: -

kubectl get secrets -n services

NAME                  TYPE                                  DATA      AGE
david-hay             kubernetes.io/dockerconfigjson        1         11m
default-token-nnz4v   kubernetes.io/service-account-token   3         2d
oauth-client-secret   Opaque                                2         2d

For the record, here's how to find the namespaces: -

kubectl get namespaces

NAME           STATUS    AGE
cert-manager   Active    2d
default        Active    2d
ibmcom         Active    2d
istio-system   Active    2d
kube-public    Active    2d
kube-system    Active    2d
platform       Active    2d
services       Active    2d

I could've done this: -

kubectl get secrets --all-namespaces=true

...
NAMESPACE      NAME                                                        TYPE                                  DATA      AGE
cert-manager   default-token-rvscx                                         kubernetes.io/service-account-token   3         2d
cert-manager   infra-registry-key                                          kubernetes.io/dockerconfigjson        1         2d
default        default-token-kj5xp                                         kubernetes.io/service-account-token   3         2d
ibmcom         default-token-5vhkl                                         kubernetes.io/service-account-token   3         2d
ibmcom         infra-registry-key                                          kubernetes.io/dockerconfigjson        1         2d
ibmcom         sa-ibmcom                                                   kubernetes.io/dockerconfigjson        1         2d
...
services       david-hay                                                   kubernetes.io/dockerconfigjson        1         16m
services       default-token-nnz4v                                         kubernetes.io/service-account-token   3         2d
services       oauth-client-secret                                         Opaque                                2         2d
...

No comments:

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...