Setting a "static" secret token

This might be a really stupid question, but I've wasted a lot of time trying to figure this out on my own. I struggle to translate the documentation. I don't speak elastic. I barely speak kubernetes. So I'll apologize in advance if I'm asking a dumb question.

Long story short: I need a way to set a static secret token created by the elastic operator when deploying apm. Every time APM is redeployed, the token changes. because the token is hard coded in our node projects, we obviously can't change this every time.

Is there a way to set a static token in the kubernetes deployment so it's always the same or is there some other method I can use to make sure projects always use the right token?

Kibana version:
7.6.2
Elasticsearch version:
7.6.2
APM Server version:
7.6.2

Original install method (e.g. download page, yum, deb, from source, etc.) and version:
Elastic Cloud on Kubernetes (ECK)

Fresh install or upgraded from other version?
Fresh

Is there anything special in your setup? For example, are you using the Logstash or Kafka outputs? Are you using a load balancer in front of the APM Servers? Have you changed index pattern, generated custom templates, changed agent configuration etc.
no

@tsbayne welcome to the forum!

Every time APM is redeployed, the token changes. because the token is hard coded in our node projects, we obviously can't change this every time.

Out of curiosity, is this something that can be changed? Are your Node.js services running in Kubernetes? If so, you might be able to inject the secret token via the ELASTIC_APM_SECRET_TOKEN environment variable: Secrets | Kubernetes

Is there a way to set a static token in the kubernetes deployment so it's always the same or is there some other method I can use to make sure projects always use the right token?

The secret token is stored in a Kubernetes Secret: Run APM Server on ECK | Elastic Cloud on Kubernetes [2.10] | Elastic. If the secret already exists, and has the right labels, the ECK operator will use it instead of creating a new one. So what you could do is create the token before creating the ApmServer via ECK.

Here's what I just tested out:

cat <<EOF | kubectl apply -f -
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: quickstart
spec:
  version: 7.6.2
  nodeSets:
  - name: default
    count: 1
    config:
      node.master: true
      node.data: true
      node.ingest: true
      node.store.allow_mmap: false
---
apiVersion: v1
kind: Secret
metadata:
  name: apm-server-quickstart-apm-token
  labels:
    apm.k8s.elastic.co/name: apm-server-quickstart
    common.k8s.elastic.co/type: apm-server
type: Opaque
data:
  secret-token: aHVudGVyMg== # base64(hunter2)
---
apiVersion: apm.k8s.elastic.co/v1
kind: ApmServer
metadata:
  name: apm-server-quickstart
spec:
  version: 7.6.2
  count: 1
  elasticsearchRef:
    name: quickstart
EOF

Note that the labels on the secret are necessary in the current ECK version. In the next minor release (1.1.0) the labels will not be necessary.

Hope this helps.

Great! Thanks Andrew, I'll give it a try. I didn't realize/never thought about creating the secret manually first. I'm pretty sure that will resolve my issue if it works.

We are using the 'ELASTIC_APM_SECRET_TOKEN' environment variable, but its value is still hardcoded in the dockerfile. It was just easier that way with Jenkins and all the automation we're implementing. But now that you've given me the idea, I suppose I could utilize jenkins or a bash script to grab the right value each time it builds.

See, I just needed a better mind to get me thinking of a different route. I'll give these idea a try. Thank you for your help. For the sake of anyone else this might help I'll report back how these worked out for me.

FWIW, both suggestions worked and helped me resolve my issue.

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.