IBM Cloud Pak foundational services versions compatibility

IBM Cloud Pak foundational services versions 3.2.2 through 3.2.4 store Kubernetes secrets and configmaps in the kube-system and kube-public namespaces. IBM Cloud Pak foundational services Version 3.4.0 and higher store Kubernetes secrets and configmaps in the ibm-common-services namespace. The SecretShare operator that is available in foundational services version 3.4.0 and higher, copies the secrets and configmaps from the ibm-common-services namespace to the kube-system and kube-public namespaces to provide compatibility with an earlier version.

About the SecretShare operator

SecretShare is an Ansible operator that is used to share secrets and configmaps between namespaces. The operator watches secrets and configmaps in a namespace, copies the ones that are specified in the SecretShare Custom Resource (CR) to other namespaces, and optionally, to other names in those namespaces.

SecretShare CR

In the following example, a SecretShare CR named common-services is created in the ibm-common-services namespace.

apiVersion: ibmcpcs.ibm.com/v1
kind: SecretShare
metadata:
  name: common-services
  namespace: ibm-common-services
spec:
  secretshares:
  - secretname: icp-management-ingress-tls-secret
    sharewith:
    - namespace: kube-system
    - namespace: kube-system
      name: route-tls-secret
  configmapshares:
  - configmapname: ibmcloud-cluster-info
    sharewith:
    - namespace: kube-system

The operator watches for the secrets and configmaps that are specified in the CR in the ibm-common-services namespace. It then copies them to their target namespaces. When the original secrets and configmaps are updated, the operator updates the copies in the target namespaces.

Consider the example CR. When you create the CR, the operator completes the following actions if or when it finds the secret or configmap:

• The secret named icp-management-ingress-tls-secret, is copied to the kube-system namespace.
• The secret named icp-management-ingress-tls-secret, is copied to the kube-system namespace with the name route-tls-secret.
• The configmap named ibmcloud-cluster-info, is copied to the kube-public namespace.

Note: The operator watches the SecretShare CR and all secrets and configmaps. So, any change in any of these secrets or configmaps makes the CR to re-evaluate and copy the changes as needed.

Note: If the target namespace does not exist, the SecretShare operator creates the namespace before it copies the secret or configmap.

Installing the SecretShare operator

By default, the ibm-common-service-operator installs the SecretShare operator and deploys the following default CR:

apiVersion: ibmcpcs.ibm.com/v1
kind: SecretShare
metadata:
  name: common-services
  namespace: ibm-common-services
spec:
  # Secrets to share for adopter compatibility to foundational services 3.2.4
  secretshares:
  - secretname: icp-metering-api-secret
    sharewith:
    - namespace: kube-system
  - secretname: oauth-client-secret
    sharewith:
    - namespace: services
  - secretname: ibmcloud-cluster-ca-cert
    sharewith:
    - namespace: kube-public
  # ConfigMaps to share for adopter compatibility to foundational services 3.2.4
  configmapshares:
  - configmapname: oauth-client-map
    sharewith:
    - namespace: services
  - configmapname: ibmcloud-cluster-info
    sharewith:
    - namespace: kube-public

You can update the CR as required. Run the following command to edit the CR:

oc edit SecretShare common-services