Define secret value 🔗︎

Secrets can be used in logging-operator Output definitions.

Secrets MUST be in the SAME namespace as the Output or ClusterOutput custom resource

Example secret definition

      name: <kubernetes-secret-name>
      key: <kubernetes-secret-key>

For debug purposes you can define secret values directly. However this is NOT recommended in production.

  value: "secretvalue"

Define secret mount 🔗︎

There are cases when you can’t inject secret into the configuration because the plugin need a file to read from. For this cases you can use mountFrom.

      name: <kubernetes-secret-name>
      key: <kubernetes-secret-key>

The operator will collect the secret and copy it to the fluentd-output secret. The fluentd configuration will contain the secret path.

Example rendered configuration

<match **>
    @type forward
    tls_cert_path /fluentd/etc/secret/default-fluentd-tls-tls.crt

How it works? 🔗︎

Behind the scene the operator marks the secret with an annotation and watches it for changes as long as the annotation is present.

Example annotated secret

apiVersion: v1
kind: Secret
type: Opaque
  annotations: watched
  name: fluentd-tls
  namespace: default
  tls.crt: SGVsbG8gV29ybGQ=

The annotation format is<loggingRef>: watched. Since the name part of the an annotation can’t be empty the default applies to empty loggingRef value as well.

The mount path is generated from the secret information