Pulp Operator Secrets¶
Pulp Operator creates and also watches k8s Secrets
based on the configuration defined in Pulp CR
.
Restore the default values¶
To restore the default values defined by the Operator it is possible to remove the secret and let the Operator recreate it:
Warning
This is a disruptive action. Any change made directly into the Secret
will be lost.
We recommend to make a backup of the Secret
before removing it.
-
make a copy of the
Secret
$ kubectl get secret -oyaml > my_secret.yaml
-
delete the secret (the Operator will create a new one with the default values)
$ kubectl delete secret <secret name>
Note
Any modifications to the Secrets
will not be replicated to the running pods.
To update the Pods
with the new Secret
contents just delete the Pod
(the new Pod
provisioned by the controller will mount the updated Secret
).
List of Secrets deployed by the Operator¶
The following Secrets
are created by the operator in case they are not provided through Pulp CR
.
The name of the Secrets
can be different depending on the Pulp's CR
name.
Note
For the sake of simplicity, we are considering that the Operator .metadata.name
is "pulp",
so all of the following Secrets
will be prefixed with pulp-
.
pulp-server¶
Will be used to populate /etc/pulp/settings.py
configuration file.
Warning
Do not modify this Secret
, the content will get overwritten by the operator.
Any modification in Pulp CR
that impact changing the content of this
Secret
will trigger a redeploy of pulp-api
and pulp-content
pods.
Here is an example of a Secret
created by the Operator:
DB_ENCRYPTION_KEY = "/etc/pulp/keys/database_fields.symmetric.key"
GALAXY_COLLECTION_SIGNING_SERVICE = "ansible-default"
GALAXY_CONTAINER_SIGNING_SERVICE = "container-default"
ANSIBLE_API_HOSTNAME = "http://pulp-web-svc.pulp.svc.cluster.local:24880"
ANSIBLE_CERTS_DIR = "/etc/pulp/keys/"
CONTENT_ORIGIN = "http://pulp-web-svc.pulp.svc.cluster.local:24880"
DATABASES = {
'default': {
'HOST': 'postgres.db.svc.cluster.local',
'ENGINE': 'django.db.backends.postgresql_psycopg2',
'NAME': 'pulp',
'USER': 'pulp-admin',
'PASSWORD': 'password',
'PORT': '5432',
'CONN_MAX_AGE': 0,
'OPTIONS': { 'sslmode': 'prefer' },
}
}
GALAXY_FEATURE_FLAGS = {
'execution_environments': 'True',
}
PRIVATE_KEY_PATH = "/etc/pulp/keys/container_auth_private_key.pem"
PUBLIC_KEY_PATH = "/etc/pulp/keys/container_auth_public_key.pem"
STATIC_ROOT = "/var/lib/operator/static/"
TOKEN_AUTH_DISABLED = "False"
TOKEN_SERVER = "http://pulp-api-svc.pulp.svc.cluster.local:24817/token/"
TOKEN_SIGNATURE_ALGORITHM = "ES256"
API_ROOT = "/pulp/"
CACHE_ENABLED = "True"
REDIS_HOST = "pulp-redis-svc.pulp"
REDIS_PORT = "6379"
REDIS_PASSWORD = ""
REDIS_DB = ""
For more information about Pulp Settings config file see Pulpcore doc.
For more information about how to configure settings.py
file using Pulp
Operator see Pulp Settings.
pulp-db-fields-encryption¶
Symmetric key used to encrypt the data stored in the database.
The current version of pulp-perator does not provide a way to modify this key yet.
Warning
Modifying this key without properly following the key rotation will make Pulp unusable and you will have to drop your database and start over. As of now, pulp-operator does not automate the logic for the key rotation.
For more info check: rotate-the-db-fields-encryption-key
pulp-admin-password¶
To define the password from Pulp admin user, create a Secret
with a password
key and set admin_password_secret
with the name of the Secret
created.
- in this example we are creating a secret called "my-admin-password" and the "password" key has "MySuperSecretPassword" as value
$ kubectl create secret generic my-admin-password --from-literal=password=MySuperSecretPassword
- now we need to set the
admin_password_secret
field in the CR... spec: admin_password_secret: my-admin-password ...
If the admin_password_secret
field is not defined with the name of a Secret
the Operator will create one (called pulp-admin-password) with a random string.
pulp-container-auth¶
Contains the keys which are going to be used for the signing and validation of tokens.
It is managed by container_token_secret
field in Pulp CR
.
pulp-secret-key¶
Name of the Kubernetes Secret
with Django SECRET_KEY
.
From Django doc: "A secret key for a particular Django installation. This is used to provide cryptographic signing, and should be set to a unique, unpredictable value."
The Secret.data.key
must be named secret_key.
- in this example we are creating a secret called "my-django-secret-key" and the "secret_key" key has "MySuperSecretPassword" as value
$ kubectl create secret generic my-django-secret-key --from-literal=secret_key=MySuperSecretPassword
- now we need to set the
pulp_secret_key
field in the CR... spec: pulp_secret_key: my-django-secret-key ...
If the pulp_secret_key
field is not defined with the name of a Secret
, pulp-operator will create one (called pulp-secret-key) with a random string.