This example shows how to use nameRefKustomizationDir & nameSuffixHash to correct name references to
sealed secrets.
Create clone of this package to test it out:
rm -rf test/ && kpt fn source | kpt fn sink test/ && pushd test/Notice that the Deployment refernces the two Secrets using their pre-hashed names:
apiVersion: apps/v1
kind: Deployment
metadata:
name: deploy
namespace: test
spec:
template:
spec:
containers:
- name: container
envFrom:
- secretRef:
name: secret-one
- secretRef:
name: secret-twoSeal the Secrets:
kpt fn renderBuilding the Kustomization at this point will not correctly update name refernces:
kustomize buildBut if you add the generated Kustomization to the root Kustomization:
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./deploy.yaml
- ./secret-one.yaml
- ./secret-two.yaml
- ./fix-name-refs # <---- Add thisAnd build again:
kustomize buildThe name references should use the hashed names.
If you want to reseal the Secret with new values, create a Secret resource
with the same name as the original (i.e. the pre hashed name):
apiVersion: v1
kind: Secret
metadata:
name: secret-one
namespace: test
stringData:
c: "c"Render again:
kpt fn renderKustomization build should update the reference to the new secret:
kustomize build