Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Applies to SUSE Cloud Application Platform 2.0.1

16 Rotating Automatically Generated Secrets

Cloud Application Platform uses a number of automatically generated secrets (passwords and certificates) for use internally provided by cf-operator. This removes the burden from human operators while allowing for secure communication. From time to time, operators may wish to change such secrets, either manually or on a schedule. This is called rotating a secret.

16.1 Finding Secrets

Retrieve the list of all secrets maintained by KubeCF:

tux > kubectl get quarkssecret --namespace kubecf

To see information about a specific secret, for example the NATS password:

tux > kubectl get quarkssecret --namespace kubecf kubecf.var-nats-password --output yaml

Note that each quarkssecret has a corresponding regular Kubernetes secret that it controls:

tux > kubectl get secret --namespace kubecf
tux > kubectl get secret --namespace kubecf kubecf.var-nats-password --output yaml

16.2 Rotating Specific Secrets

To rotate a secret, for example kubecf.var-nats-password:

  1. Create a YAML file for a ConfigMap of the form:

    ---
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: rotate-kubecf.var-nats-password
      labels:
        quarks.cloudfoundry.org/secret-rotation: "true"
    data:
      secrets: '["kubecf.var-nats-password"]'

    The name of the ConfigMap can be anything allowed by Kubernetes syntax but we recommend using a name derived from the name of the secret itself.

    Also, the example above rotates only a single secret but the data.secrets key accepts an array of secret names, allowing simultaneous rotation of many secrets.

  2. Apply the ConfigMap:

    tux > kubectl apply --namespace kubecf -f /path/to/your/yaml/file

    The result can be seen in the cf-operator's log.

  3. After the rotation is complete, that is after secrets have been changed and all affected pods have been restarted, delete the config map again:

    tux > kubectl delete --namespace kubecf -f /path/to/your/yaml/file
Print this page