Secret definition

Define secret value

Secrets can be used in logging-operator Output definitions.

Secrets MUST be in the SAME namespace as the Output or ClusterOutput custom resource

Example secret definition

aws_key_id:
  valueFrom:
    secretKeyRef:
      name: <kubernetes-secret-name>
      key: <kubernetes-secret-key>

For debug purposes you can define secret values directly. However this is NOT recommended in production.

aws_key_id:
  value: "secretvalue"

Before rendering a secret value into the Fluentd configuration, the operator trims a single trailing newline or carriage return. As a result, a secret stored with a trailing newline (a common result of echo "secret" | base64) renders the same as one stored without it, so it won’t break authentication for outputs. Newlines within the value are preserved, but the value is quoted and escaped so it can’t inject additional Fluentd configuration directives.

Define secret mount

There are cases when you can’t inject secret into the configuration because the plugin need a file to read from. For this cases you can use mountFrom.

tls_cert_path:
  mountFrom:
    secretKeyRef:
      name: <kubernetes-secret-name>
      key: <kubernetes-secret-key>

The operator will collect the secret and copy it to the fluentd-output secret. The fluentd configuration will contain the secret path.

Example rendered configuration

<match **>
    @type forward
    tls_cert_path /fluentd/etc/secret/default-fluentd-tls-tls.crt
    ...
</match>

How it works?

Behind the scene the operator marks the secret with an annotation and watches it for changes as long as the annotation is present.

Example annotated secret

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  annotations:
    logging.banzaicloud.io/default: watched
  name: fluentd-tls
  namespace: default
data:
  tls.crt: SGVsbG8gV29ybGQ=

The annotation format is logging.banzaicloud.io/<loggingRef>: watched. Since the name part of the an annotation can’t be empty the default applies to empty loggingRef value as well.

The mount path is generated from the secret information

/fluentd/etc/secret/$namespace-$secret_name-$secret_key