Openshift Origin — secrets and namespaces

OK, I’ve figured out how the secrets and namespaces thing works in Openshift Origin.

Secrets are generated through the CLI client ‘oc’. In order to generate a secret, you must login on the client (oc login), then select the project you want to generate the secret for (oc projects ).

By selecting the project, you switch to the project’s namespace. You see, when you create a project, it is assigned to a namespace which just happens to be the name of the project.

Now, when you generate the secret, all three service accounts automatically generated for each project (default, builder and deployer) will have access to the secret for the given project in that namespace, but only you’ve added the secret to one of the service accounts (oc secrets add serviceAccount/accountName secret/secretName).

This makes total sense. Once you know how it works, it seems easy.