Define secret value 🔗︎
Secrets can be used in logging-operator Output
definitions.
Secrets MUST be in the SAME namespace as the
Output
orClusterOutput
custom resource
Example secret definition
aws_key_id:
valueFrom:
secretKeyRef:
name: <kubernetes-secret-name>
key: <kubernetes-secret-key>
For debug purposes you can define secret values directly. However this is NOT recommended in production.
aws_key_id:
value: "secretvalue"
Define secret mount 🔗︎
There are cases when you can’t inject secret into the configuration because the plugin need a file to read from. For this cases you can use mountFrom
.
tls_cert_path:
mountFrom:
secretKeyRef:
name: <kubernetes-secret-name>
key: <kubernetes-secret-key>
The operator will collect the secret and copy it to the fluentd-output
secret. The fluentd configuration will contain the secret path.
Example rendered configuration
<match **>
@type forward
tls_cert_path /fluentd/etc/secret/default-fluentd-tls-tls.crt
...
</match>
How it works? 🔗︎
Behind the scene the operator marks the secret with an annotation and watches it for changes as long as the annotation is present.
Example annotated secret
apiVersion: v1
kind: Secret
type: Opaque
metadata:
annotations:
logging.banzaicloud.io/default: watched
name: fluentd-tls
namespace: default
data:
tls.crt: SGVsbG8gV29ybGQ=
The annotation format is
logging.banzaicloud.io/<loggingRef>: watched
. Since thename
part of the an annotation can’t be empty thedefault
applies to emptyloggingRef
value as well.
The mount path is generated from the secret information
/fluentd/etc/secret/$namespace-$secret_name-$secret_key