victorious-scientist-9866
03/23/2020, 2:05 AM.htpasswd
example since the file contents are already hashed/secure but it doesn't work for the example of an image pull secret since the contents are only base64 encoded and can easily be decoded. Ideally, unencrypted secret data wouldn't be commited to the git repository storing my deployment files.green-morning-1318
03/23/2020, 2:23 AM{
"auths": {
"<http://your.private.registry.example.com|your.private.registry.example.com>": {
"username": "janedoe",
"password": "xxxxxxxxxxx",
"email": "<mailto:jdoe@example.com|jdoe@example.com>",
"auth": "c3R...zE2"
}
}
}
The auth part is base64 encoded and seems to be username and password concatenated with a :
So if you know your Registry server, username, password, email address you could construct the content of that file programmatically and create a secret like
new k8s.core.v1.Secret("myK8sSecret", {
metadata: {
name: "imagePullSecret",
namespace: "default"
},
type: "<http://kubernetes.io/dockerconfigjson|kubernetes.io/dockerconfigjson>",
data: {
".dockerconfigjson": toBase64(<the entire auth string>),
}
}
In that case, the contents needed to generate the secret are always in your possession and should indeed never be in git.
Source for coming up with this potential solution: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#inspecting-the-secret-regcredvictorious-scientist-9866
03/23/2020, 2:24 AMconst deployToken = new k8s.core.v1.Secret("shrcc-deploy-token", {
stringData: pulumi.all([
config.requireSecret("deployTokenUsername"),
config.requireSecret("deployTokenPassword"),
]).apply(([username, password]) => ({
".dockerconfigjson": JSON.stringify({
auths: {
"<http://registry.gitlab.com|registry.gitlab.com>": { username, password }
}
}),
})),
type: "<http://kubernetes.io/dockerconfigjson|kubernetes.io/dockerconfigjson>",
}, { additionalSecretOutputs: ["stringData"], provider })
green-morning-1318
03/23/2020, 2:42 AMvictorious-scientist-9866
03/23/2020, 3:01 AMfaint-motherboard-95438
03/30/2020, 10:29 PM