manintheit.org

manintheit.org


OpenShift Global Pull Secret

In this post, we’ll walk you through how to securely fetch registry user credentials from HashiCorp Vault and apply them globally as a Pull Secret configuration in your OpenShift cluster.

In today’s dynamic containerized environments, ensuring the security of your registry credentials is paramount. Exposing these credentials can lead to unauthorized access, data breaches, and potential compromises of your entire infrastructure. By centralizing and encrypting credentials in a secure vault like HashiCorp Vault, you can mitigate these risks and maintain control over who can access sensitive information.


<ansible-folder>/clusters/ocp.dev/cluster.yml

# when 'enable_image_pull_secret: true' 'docker_confi_json_def' & 'dockerconfig_def' variables will be used
enable_image_pull_secret: true # [true|false]
# 'auth' MUST be the location of secret in Vault
# 'username' MUST be the name of Image registry user repo user
# for public registries 'username' and 'auth' MUST be empty.
#  docker.io:
#    auth: ""
#    username: ""
dockerconfig_json_def:
  regs-test.io:
    auth: "secret/data/global/artifactory/artif-test"
    username: "user-test"
  regs-prod.io:
    auth: "secret/data/global/artifactory/artif-prod"
    username: "user-prod"

dockerconfig_json: {}

<playbook-file>/main.yml

---
- hosts: localhost
  gather_facts: no

  vars_prompt:
    - name: cluster_environment
      prompt: What environment do we deploy?(zB. ocp.dev)
      private: no
    - name: vault_token
      prompt: "Vault token (copy from http://vault:8200/ui/vault)"

  vars:
    vault_url: "http://vault:8200"

  tasks:
    - name: Fetch cluster variables
      include_vars:
        file: "{{ playbook_dir }}/clusters/{{ cluster_environment }}/cluster.yml"

    - name: update dockerconfig.json
      tags: [ config ]
      block:
        - name: Set dockerconfig_json getting secrets
          set_fact:
            dockerconfig_json: "{{ dockerconfig_json | combine({item.key: {'auth':  dcred }}, recursive=true) }}"
          vars:
            dcred: "{{ (item.value.username + ':' + lookup('hashi_vault', 'secret='+item.value.auth+' token='+vault_token+' url=' + vault_url)['password'])|trim|b64encode if item.value.auth != '' else '' }}"
          with_dict: "{{ dockerconfig_json_def }}"

        - name: Update dockerconfig_json adding 'auths'
          set_fact:
            dockerconfig_json: "{'auths':{{ dockerconfig_json }}}"

        - name: Content of dockerconfig.json
          debug:
            msg: "{{ dockerconfig_json }}"

        - name: update dockerconfig.json secret
          kubernetes.core.k8s:
            definition:
              apiVersion: v1
              kind: Secret
              metadata:
                name: "pull-secret"
                namespace: "openshift-config"
              type: kubernetes.io/dockerconfigjson
              data:
                .dockerconfigjson: "{{ dockerconfig_json | to_json | trim | b64encode }}"
      when: enable_image_pull_secret

Note: You have access to the cluster as a user with the cluster-admin role.



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.