How to create Kubernetes K8s or OpenShift OCP secret with Ansible?

I’m going to show you a live Playbook and some simple Ansible code. I’m Luca Berton and welcome to today’s episode of Ansible Pilot.

Ansible create Kubernetes or OpenShift secret

  • kubernetes.core.k8s
  • Manage Kubernetes (K8s) objects

Let’s talk about the Ansible module k8s. The full name is kubernetes.core.k8s, which means that is part of the collection of modules of Ansible to interact with Kubernetes and Red Hat OpenShift clusters. It manages Kubernetes (K8s) objects.

Parameters

  • name string /namespace string - object name / namespace
  • api_version string - “v1”
  • kind string - object model
  • state string - present/absent/patched
  • definition string - YAML definition
  • src path - path for YAML definition
  • template raw - YAML template definition
  • validate dictionary - validate resource definition

There is a long list of parameters of the k8s module. Let me summarize the most used. Most of the parameters are very generic and allow you to combine them for many use-cases. The name and namespace specify object name and/or the object namespace. They are useful to create, delete, or discover an object without providing a full resource definition. The api_version parameter specifies the Kubernetes API version, the default is “v1” for version 1. The kind parameter specifies an object model. The state like for other modules determines if an object should be created - present option, patched - patched option, or deleted - absent option. The definition parameter allows you to provide a valid YAML definition (string, list, or dict) for an object when creating or updating. If you prefer to specify a file for the YAML definition, the src parameter provides a path to a file containing a valid YAML definition of an object or objects to be created or updated. You could also specify a YAML definition template with the template parameter. You might find useful also the validate parameter in order to define how to validate the resource definition against the Kubernetes schema. Please note that requires the kubernetes-validate python module.

Join 50+ hours of courses in our exclusive community

Playbook

How to create Kubernetes secret with Ansible Playbook using the module k8s. Specifically, the following example is going to create the “mysecret” secret in namespace “default” in Kubernetes K8s or OpenShift OCP with Ansible.

code

  • ansible_playbook.yml
---
- name: k8s Playbook
  hosts: localhost
  gather_facts: false
  connection: local
  tasks:
    - name: create k8s secret mysecret
      kubernetes.core.k8s:
        src: mysecret.yaml
        state: present
  • mysecret.yml

The values for all keys in the data the field has to be base64-encoded strings. username = admin, password = secretpassword

---
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
  namespace: default
type: Opaque
data:
  username: YWRtaW4=
  password: c2VjcmV0cGFzc3dvcmQ=

execution

ansible-pilot $ ansible-playbook kubernetes/secret.yml
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit
localhost does not match 'all'
PLAY [k8s Playbook] ***********************************************************************************
TASK [create k8s secret mysecret] *****************************************************************
changed: [localhost]
PLAY RECAP ****************************************************************************************
localhost                  : ok=1    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
ansible-pilot $

idempotency

ansible-pilot $ ansible-playbook kubernetes/secret.yml
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit
localhost does not match 'all'
PLAY [k8s Playbook] ***********************************************************************************
TASK [create k8s secret mysecret] *****************************************************************
ok: [localhost]
PLAY RECAP ****************************************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
ansible-pilot $

before execution

  • Kubernetes (k8s)
ansible-pilot $ kubectl list secrets          
NAME                       TYPE                                  DATA   AGE
builder-dockercfg-sqm7r    kubernetes.io/dockercfg               1      74d
builder-token-9tg7z        kubernetes.io/service-account-token   4      74d
builder-token-rvhcn        kubernetes.io/service-account-token   4      74d
default-dockercfg-lgth4    kubernetes.io/dockercfg               1      74d
default-token-6g2dp        kubernetes.io/service-account-token   4      74d
default-token-x5l9r        kubernetes.io/service-account-token   4      74d
deployer-dockercfg-9c5n2   kubernetes.io/dockercfg               1      74d
deployer-token-htqht       kubernetes.io/service-account-token   4      74d
deployer-token-q74gz       kubernetes.io/service-account-token   4      74d
example                    Opaque                                2      1m
  • OpenShift (OCP)
ansible-pilot $ oc list secrets          
NAME                       TYPE                                  DATA   AGE
builder-dockercfg-sqm7r    kubernetes.io/dockercfg               1      74d
builder-token-9tg7z        kubernetes.io/service-account-token   4      74d
builder-token-rvhcn        kubernetes.io/service-account-token   4      74d
default-dockercfg-lgth4    kubernetes.io/dockercfg               1      74d
default-token-6g2dp        kubernetes.io/service-account-token   4      74d
default-token-x5l9r        kubernetes.io/service-account-token   4      74d
deployer-dockercfg-9c5n2   kubernetes.io/dockercfg               1      74d
deployer-token-htqht       kubernetes.io/service-account-token   4      74d
deployer-token-q74gz       kubernetes.io/service-account-token   4      74d
example                    Opaque                                2      1m

after execution

  • Kubernetes (k8s)
ansible-pilot $ kubectl list secrets         
NAME                       TYPE                                  DATA   AGE
builder-dockercfg-sqm7r    kubernetes.io/dockercfg               1      74d
builder-token-9tg7z        kubernetes.io/service-account-token   4      74d
builder-token-rvhcn        kubernetes.io/service-account-token   4      74d
default-dockercfg-lgth4    kubernetes.io/dockercfg               1      74d
default-token-6g2dp        kubernetes.io/service-account-token   4      74d
default-token-x5l9r        kubernetes.io/service-account-token   4      74d
deployer-dockercfg-9c5n2   kubernetes.io/dockercfg               1      74d
deployer-token-htqht       kubernetes.io/service-account-token   4      74d
deployer-token-q74gz       kubernetes.io/service-account-token   4      74d
example                    Opaque                                2      10m
mysecret                   Opaque                                2      1m
  • OpenShift (OCP)
ansible-pilot $ oc list secrets         
NAME                       TYPE                                  DATA   AGE
builder-dockercfg-sqm7r    kubernetes.io/dockercfg               1      74d
builder-token-9tg7z        kubernetes.io/service-account-token   4      74d
builder-token-rvhcn        kubernetes.io/service-account-token   4      74d
default-dockercfg-lgth4    kubernetes.io/dockercfg               1      74d
default-token-6g2dp        kubernetes.io/service-account-token   4      74d
default-token-x5l9r        kubernetes.io/service-account-token   4      74d
deployer-dockercfg-9c5n2   kubernetes.io/dockercfg               1      74d
deployer-token-htqht       kubernetes.io/service-account-token   4      74d
deployer-token-q74gz       kubernetes.io/service-account-token   4      74d
example                    Opaque                                2      10m
mysecret                   Opaque                                2      1m

Red Hat CodeReady Containers web UI

Conclusion

Now you know how to create Kubernetes or OpenShift secret with Ansible.

Subscribe to the YouTube channel, Medium, and Website, X (formerly Twitter) to not miss the next episode of the Ansible Pilot.

Academy

Learn the Ansible automation technology with some real-life examples in my Udemy 300+ Lessons Video Course.

BUY the Complete Udemy 300+ Lessons Video Course

My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps

BUY the Complete PDF BOOK to easily Copy and Paste the 250+ Ansible code

Want to keep this project going? Please donate

Patreon Buy me a Pizza