- QuarksSecret
An QuarksSecret generates passwords, keys and certificates and stores them in Kubernetes secrets.
The QuarksSecret component consists of three controllers, each with a separate reconciliation loop.
Figure 1, illustrates the component and associated set of controllers.
Fig. 1: The QuarksSecret component
Fig. 2: The QuarksSecret controller
QuarksSecret: CreationQuarksSecret: Updates if.status.generatedis false
- generates Kubernetes secret of specific types(see Types under Highlights).
- generate a Certificate Signing Request against the cluster API.
- sets
.status.generatedtotrue, to avoid re-generation and allow secret rotation.
Depending on the spec.type, QuarksSecret supports generating the following:
| Secret Type | spec.type | certificate.signerType | certificate.isCA |
|---|---|---|---|
passwords |
password |
not set | not set |
rsa keys |
rsa |
not set | not set |
ssh keys |
ssh |
not set | not set |
self-signed root certificates |
certificate |
local |
true |
self-signed certificates |
certificate |
local |
false |
cluster-signed certificates |
certificate |
cluster |
false |
Note:
You can find more details in the BOSH docs.
A certificate QuarksSecret can be signed by the Kubernetes API Server. The QuarksSecret Controller is responsible for generating the certificate signing request:
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: generate-certificate
spec:
request: ((encoded-cert-signing-request))
usages:
- digital signature
- key enciphermentThe QuarksSecret controller can create copies of a generated secret across multiple namespaces, as long as the target secrets (that live in a namespace other than the namespace of the QuarksSecret) already exist, and have an annotation of:
quarks.cloudfoundry.org/secret-copy-of: NAMESPACE/generate-password-with-copies
as well as the usual label for generated secrets:
quarks.cloudfoundry.org/secret-kind: generated
This ensures that the creator of the QuarksSecret must have access to the copy target namespace.
Copied Secrets do not have an owner set, and are not cleaned up automatically when the QuarksSecret is deleted.
Fig. 3: The CertificateSigningRequest controller
Certificate Signing Request: Creation
- once the request is approved by Kubernetes API, will generate a certificate stored in a Kubernetes secret, that is recognized by the cluster.
The CertificateSigningRequest controller watches for CertificateSigningRequest and approves QuarksSecret-owned CSRs and persists the generated certificate.
The secret rotation controller watches for a rotation config map and re-generates all the listed QuarksSecrets.
ConfigMap: Creation of a config map, which has thesecret-rotationlabel.
- Will read the array of
QuarksSecretnames from the JSON under the config map keysecrets. - Skip
QuarksSecretwhere.status.generatedisfalse, as these might be under control of the user. - Set
.status.generatedfor each namedQuarksSecrettofalse, to trigger re-creation of the corresponding secret.
All explicit variables of a BOSH manifest will be created as QuarksSecret instances, which will trigger the QuarksSecret Controller.
This will create corresponding secrets. If the user decides to change a secret, the .status.generated field in the corresponding QuarksSecret should be set to false, to protect against overwriting.
See https://github.com/cloudfoundry-incubator/cf-operator/tree/master/docs/examples/quarks-secret