Generate shared secrets
This guide uses a model based on shared secrets as the method to create and verify tokens. The goal is to store the shared secrets in a secure Kubernetes Secret object to then provide to Portworx.
-
Generate secure secrets and save the values in environment variables:
PORTWORX_AUTH_SYSTEM_KEY=$(cat /dev/urandom | base64 | fold -w 64 | head -n 1) \
PORTWORX_AUTH_SYSTEM_APPS_KEY=$(cat /dev/urandom | base64 | fold -w 64 | head -n 1) \
PORTWORX_AUTH_SHARED_SECRET=$(cat /dev/urandom | base64 | fold -w 64 | head -n 1) -
Store these shared secrets securely in a Kubernetes secret called
pxkeys
in thekube-system
namespace:kubectl -n kube-system create secret generic pxkeys \
--from-literal=system-secret=$PORTWORX_AUTH_SYSTEM_KEY \
--from-literal=stork-secret=$PORTWORX_AUTH_SYSTEM_APPS_KEY \
--from-literal=shared-secret=$PORTWORX_AUTH_SHARED_SECRET -
Verify that the secret stored is correct by comparing
$PORTWORX_AUTH_SHARED_SECRET
with the value returned below:kubectl -n kube-system get secret pxkeys -o json | jq -r '.data."shared-secret"' | base64 -d
Once you've completed the steps in this section, continue to the Enable security in Portworx section.