Cluster wide secrets for Kubernetes

If you have lots of namespaces or create namespaces on the fly, you will face the challenge of keeping the secrets in sync across all these namespaces.

Apart from the manual approach to maintain all these secrets manually, there is a tool called Image Pull Secret Patcher which does the work for you and replicate the secret across all namespaces.

The installation is pretty easy and straightforward.

Installation

1. It’s best to create a namespace to deploy the new resources to it.

kubectl create namespace imagepullsecret-patcher

2. We need to apply the below RBAC and Deployment files to the cluster.

kubectl apply -f https://gist.github.com/MahdiKarimipour/1e7063d0e854e74c0278b477a77c7256

kubectl apply -f https://gist.githubusercontent.com/MahdiKarimipour/afc92e93ebeebcded511788bae660ef7/raw/c4874730fc7b8eb6254622a154e1b0796aaf30f5/image-pull-secret-deployment.yaml

Set the Secret

Before applying the second deployment file to the cluster, we need to set our secret first. The secret value is embedded in the data value before which is in Base64 format.

data:
  .dockerconfigjson: ewogICAgImF1dGhzIjogewogICAgICAgICJodHRwczovL2RvY2tlci5pbyI6IHsKICAgICAgICAgICAgInVzZXJuYW1lIjogInVzZXJuYW1lIiwKICAgICAgICAgICAgInBhc3N3b3JkIjogInBhc3N3b3JkIiwKICAgICAgICAgICAgImF1dGgiOiAiZFhObGNtNWhiV1U2Y0dGemMzZHZjbVE9IgogICAgICAgIH0KICAgIH0KfQ==

So first lets decode that value, and below is structure of the value after decode:

{
    "auths": {
        "https://docker.io": {
            "username": "username",
            "password": "password",
            "auth": "dXNlcm5hbWU6cGFzc3dvcmQ9"
        }
    }
}

Please also note that auth value is again encoded, and if you decode that, you will get the below format:

"auth": "username:password="

So after two rounds of decoding, here is the structure in plain text:

{
    "auths": {
        "https://docker.io": {
            "username": "username",
            "password": "password",
            "auth": "username:password="
        }
    }
}

Once you set the value and follow the above steps in reverse, you can then proceed with applying the deployment file to the cluster, which will keep this secret shared across all namespaces.