How to generate a random string / password in Kubernetes secrets

Question

For now, I deploy my application pods using static files and one of them is app-secrets.yaml with all secrets to deploy an application

---
apiVersion: v1
kind: Secret
metadata:
  name: app-secrets
type: Opaque
data:
  root: xxxxxx
  user1: xxxxxx
  user2: xxxxxx

but this is not neither secure nor convenient (if I need another app instance, I have to create another file with human-generated password).

I'm looking to generate random passwords at application creation but I don't know if it's possible. I've already looked to the topic secret and especially secretGenerator but this is not directly what I want as I understand it, because it does not create a random string but a random secret name like secret/app-secrets-ssdsdfmfh4k but I have to provide still the passwords.

Answer 1

You may want to use kubernetes-secret-generator. I've tested it and it's doing exactly what you need.

To accomplish it you have to have helm in your cluster and follow these instructions:

Clone repository

$ git clone https://github.com/mittwald/kubernetes-secret-generator

Create helm deployment

$ helm upgrade --install secret-generator ./deploy/chart

Now you to use it, you just have to

Add annotation secret-generator.v1.mittwald.de/autogenerate to any Kubernetes secret object .The value of the annotation can be a field name (or comma separated list of field names) within the secret; the SecretGeneratorController will pick up this annotation and add a field [or fields] (password in the example below) to the secret with a randomly generated string value. From here.

$ kubectl apply -f mysecret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
  annotations:
    secret-generator.v1.mittwald.de/autogenerate: password
data:
  username: UGxlYXNlQWNjZXB0Cg==

After applying this secret you can take a look at it to check if the passward was generated as expected:

$ kubectl get secrets mysecret -o yaml
apiVersion: v1
data:
  password: dnVKTDBJZ0tFS1BacmtTMnBuc3d2YWs2YlZsZ0xPTUFKdStDa3dwUQ==
  username: UGxlYXNlQWNjZXB0Cg==
kind: Secret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"username":"UGxlYXNlQWNjZXB0Cg=="},"kind":"Secret","metadata":{"annotations":{"secret-generator.v1.mittwald.de/autogenerate":"password"},"name":"mysecret","namespace":"default"}}
    secret-generator.v1.mittwald.de/autogenerate: password
    secret-generator.v1.mittwald.de/autogenerate-generated-at: 2020-01-09 14:29:44.397648062
      +0000 UTC m=+664.011602557
    secret-generator.v1.mittwald.de/secure: "yes"
  creationTimestamp: "2020-01-09T14:29:44Z"
  name: mysecret
  namespace: default
  resourceVersion: "297425"
  selfLink: /api/v1/namespaces/default/secrets/mysecret
  uid: 7ae42d71-32ec-11ea-92b3-42010a800009
type: Opaque

As we can see, the password was generated and it's encrypted as you need.

Answer 2

You can do this too:

$ head /dev/urandom | tr -dc A-Za-z0-9 | head -c 8 ; echo '' | base64 | kubectl create secret generic mysecret --from-literal=password=-

The inconvenient is that you need to change secret name every time you run the command, but looks like you already have a mechanism to generate random secret names.

Note: change the number in head -c 8 to control the length of the string.