Injecting passwords from Kubernetes secrets into Splunk config files

config.tpl

splunk:
   conf:
   - key: authentication
     value: 
        directory: /opt/splunk/etc/system/local
        content:
          AD:
            bindDNpassword : ${AD_PASSWORD}

create-config.sh

#!/usr/bin/env bash

if [ "$#" -ne 2 ]; then
    echo "Usage: create-config.sh <namespace> <config-tpl>"
    exit 1
fi

NAMESPACE=$1
TEMPLATE=$2

read -p "AD Password: " AD_PASSWORD

YML=$(cat $TEMPLATE | sed -e "s/\${AD_PASSWORD}/${AD_PASSWORD}/")

kubectl delete secret -n $NAMESPACE splunk-config-secret
kubectl create secret -n $NAMESPACE generic splunk-config-secret --from-literal=default.yml="${YML}"

Currently, the Splunk K8S operator doesn't support injecting passwords from Kubernetes secrets into the Splunk config. The workaround is to store a complete configuration file as a secret, see splunk/splunk-operator#657

As configuration files can be quite large, I created a small bash script that is using template files for the configuration and filling in the secrets based on user input. You can create the K8S secret containing the configuration by calling:

create-config.sh $NAMESPACE config.tpl

The example is just asking for the Active Directory password, but you can easily extend it with more variables.

The resulting secret is named splunk-config-secret and stored in the namespace $NAMESPACE.

You can then reference the secret in your splunk-operator resource, e.g.:

apiVersion: enterprise.splunk.com/v2
kind: Standalone
metadata:
  name: s1
  finalizers:
  - enterprise.splunk.com/delete-pvc
spec:
  volumes:
    - name: default
      secret:
        secretName: splunk-config-secret
  defaultsUrl: /mnt/default/default.yml