Add ability to create secrets
Add state for creating secrets from TLS certs.
Change-Id: Ied8db52428ef812a592a41a3ef89ed87380d8a81
Related-Prod: PROD-27542
diff --git a/kubernetes/control/init.sls b/kubernetes/control/init.sls
index 0469403..a4570d6 100644
--- a/kubernetes/control/init.sls
+++ b/kubernetes/control/init.sls
@@ -6,6 +6,9 @@
{%- if control.job is defined %}
- kubernetes.control.job
{%- endif %}
+ {%- if control.secret is defined %}
+ - kubernetes.control.secret
+ {%- endif %}
{%- if control.service is defined %}
- kubernetes.control.service
{%- endif %}
diff --git a/kubernetes/control/secret.sls b/kubernetes/control/secret.sls
new file mode 100644
index 0000000..10fc58a
--- /dev/null
+++ b/kubernetes/control/secret.sls
@@ -0,0 +1,33 @@
+{% from "kubernetes/map.jinja" import control with context %}
+include:
+ - kubernetes.control
+
+{%- for secret_name, secret in control.secret.items() %}
+ {%- if secret.get('enabled', false) %}
+
+/srv/kubernetes/secrets/{{ secret.namespace }}/{{ secret_name }}.yml:
+ file.managed:
+ - source: salt://kubernetes/files/secret.yml
+ - user: root
+ - group: root
+ - mode: 750
+ - template: jinja
+ - makedirs: true
+ - require:
+ - file: /srv/kubernetes
+ - defaults:
+ secret: {{ secret|yaml }}
+
+ {%- if secret.get('create', false) %}
+ cmd.wait:
+ - name: kubectl apply -f /srv/kubernetes/secrets/{{ secret.namespace }}/{{ secret_name }}.yml
+ - unless: kubectl get secret -o=custom-columns=NAME:.metadata.name --namespace {{ secret.namespace }} | grep -xq {{ secret_name }}
+ {%- if grains.get('noservices') %}
+ - onlyif: /bin/false
+ {%- endif %}
+ - watch:
+ - file: /srv/kubernetes/secrets/{{ secret.namespace }}/{{ secret_name }}.yml
+ {%- endif %}
+
+ {%- endif %}
+{%- endfor %}
\ No newline at end of file
diff --git a/kubernetes/files/secret.yml b/kubernetes/files/secret.yml
new file mode 100644
index 0000000..0ce9505
--- /dev/null
+++ b/kubernetes/files/secret.yml
@@ -0,0 +1,22 @@
+{% from "kubernetes/map.jinja" import control with context %}
+apiVersion: {{ secret.apiVersion }}
+kind: Secret
+metadata:
+ name: {{ secret_name }}
+ namespace: {{ secret.get('namespace', 'default') }}
+type: Opaque
+{%- if secret.data is defined}
+data:
+ {%- if secret.data.type == 'ssl' %}
+ {%- set ca_crt = salt['cmd.shell']('cat {0} | base64'.format(secret.data.ca_crt_file)) %}
+ {%- set tls_crt = salt['cmd.shell']('cat {0} | base64'.format(secret.data.tls_crt_file)) %}
+ {%- set tls_key = salt['cmd.shell']('cat {0} | base64'.format(secret.data.tls_key_file)) %}
+ ca.crt: {{ ca_crt }}
+ tls.crt: {{ tls_crt }}
+ tls.key: {{ tls_key }}
+ {%- else %}
+ {%- for key, value in secret.data.secrets.items() %}
+ {{ key }}: {{ salt['hashutil.base64_b64encode'](value) }}
+ {%- endfor %}
+ {%- endif %}
+{%- endif %}