Kubernetes secrets in Ops Manager Configuration block

Steve_Clement · July 23, 2024, 9:07pm

What is the proper format for injecting a secret into an mms.* setting in the configuration for ops-manager with the Kubernetes operator. For example, given a very basic secret like:

kind: Secret
apiVersion: v1
metadata:
   name: ops-manager-secret-name
data:
  password: SomeSuperSecurePasswordHere
type: Opaque
`

And let's say I want to use that secret to help configure something like the LDAP bind password:

configuration:
mms.ldap.bindPassword: ops-manager-secret-name


That doesn't seem to take when I load it up in Ops Manager. I've tried naming the secret key to match ("bindPassword") but that doesn't take eiter. What's the right way to go about injecting k8s secrets into the Ops Manager Configuration block?

Melva_Sarabia · July 24, 2024, 4:07am

To inject a secret into an mms.* setting using the Kubernetes Operator for Ops Manager, you should reference the secret correctly in your configuration. Here’s how you can do it:

Define the Secret:

yaml

Copy code

apiVersion: v1
kind: Secret
metadata:
  name: ops-manager-secret-name
data:
  password: U29tZVN1cGVyU2VjdXJlUGFzc3dvcmRIZXJl # Base64 encoded password
type: Opaque

**Reference the Secret in the Ops Manager Custom Resource:**In your Ops Manager configuration, you need to use the secret key reference syntax. For example, if you want to set the LDAP bind password:

yaml

Copy code

apiVersion: mongodb.com/v1
kind: MongoDBOpsManager
metadata:
  name: ops-manager
spec:
  configuration:
    mms.ldap.bindPassword:
      secretRef:
        name: ops-manager-secret-name
        key: password

Explanation:

secretRef: This specifies the Kubernetes secret to use.
name: The name of the secret.
key: The specific key within the secret that contains the password.

Ensure your secret data is base64 encoded, as Kubernetes secrets require this encoding. You can encode your password using:

bash

Copy code

echo -n 'SomeSuperSecurePasswordHere' | base64

This should allow Ops Manager to access the secret correctly.

Steve_Clement · July 25, 2024, 6:38pm

Thank you for that update. When I attempt to reference the secret as described, I get the following error message:

spec.configuration.mms.ldap.bindPassword: Invalid value: "object": spec.configuration.mms.ldap.bindPassword in body must be of type string: "object"]

Which I read that it does not take the SecretRef object after all. Any additional help would be appreciated.