使用k8s.io库获取一个秘密。

huangapple go评论90阅读模式
英文:

Get a secret with k8s.io library

问题

我完全不了解Go语言和Kubernetes库k8s.io(https://github.com/kubernetes/client-go),并且试图弄清楚如何获取特定的密钥。

我有一个观察者,用于监视Secrets的变化。
我正在特定命名空间内迭代一个Secret列表。这部分是可以工作的,我也可以通过while循环对它们进行过滤。但是我不知道如何在循环中获取和搜索不同命名空间中的Secret

我需要在命名空间"my-namespace"中获取名为XXX的密钥。
(我知道下面这行代码不存在,它只是概述我正在寻找的想法)我来自Ruby,所以我搜索了类似于这样的东西:

var myKubeSecret = kubernetes.V1().Secrets("my-namespace").Find("XXX")

是否存在类似上面那个函数的函数?

这是我目前的代码:它可以观察到命名空间"default"中的所有密钥。这部分是可以工作的。这个示例是从我搜索到的一个类似的代码中获取的,现在我正在尝试进行修改。

import (

	v1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	kubeinformers "k8s.io/client-go/informers"
	"k8s.io/client-go/kubernetes"
	"k8s.io/client-go/tools/cache"
	"k8s.io/client-go/tools/clientcmd"
	"sigs.k8s.io/yaml"
)
// 很多代码
// ....
// ...
// ..
// .

if data, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace"); err == nil {
		fmt.Println("data",data)
	}
	// 监听新的密钥
	factory := kubeinformers.NewSharedInformerFactoryWithOptions(clientsetCore, 0, kubeinformers.WithNamespace(namespace()))
	informer := factory.Core().V1().Secrets().Informer()
	secrets := factory.Core().V1().Secrets().Lister()

var myKubeSecret string // 将保存我的密钥

informer.AddEventHandler(cache.ResourceEventHandlerFuncs{
  AddFunc: func(new interface{}) {
    // 获取密钥
    var cpSecret = new.(*v1.Secret).DeepCopy()
     	if mySecret.GetName() == "argocd-credentials" {
				var cpData = *&cpSecret.Data
				for k, v := range cpData {
					clusterIP = kubeConfig.Clusters[0].Cluster.Server

					fmt.Println("cpData k:", k, "v:", v)
					switch k {
					case "authToken":
						fmt.Println("authToken:", v)

                    // ### 这里应该是名为XXX的密钥在my-namespace命名空间中的值
                    myKubeSecret = // ### 应该是一个bearerToken字符串
					}
				}
			}
      }
}

希望你明白我的意思。

请告诉我还需要哪些import库,如果有的话。

英文:

I am totally new to Go and the Kubernetes library k8s.io (https://github.com/kubernetes/client-go) and try to figure out how to get a specific secret.

I have a kind of observer which watches changes of Secrets.
I am iterating through a Secretlist within a specific namespace. That works, I also can filter them by a while loop. But I do not know how to get and search a Secret in a different namespace which should be available in this loop.

I need a secret named XXX in namespace "my-namespace"
(I know that the following line does not exist, it should only outline the idea what I am looking for) I come from Ruby, so I searched for something like this :

var myKubeSecret = kubernetes.V1().Secrets("my-namespace").Find("XXX")

Exists like the function like that one above?

This is what I have: this observes all my secrets in namespace "default". Which works. That example was taken from a Code that does something similar I was searching for, and I try to modify now.:

import (

	v1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	kubeinformers "k8s.io/client-go/informers"
	"k8s.io/client-go/kubernetes"
	"k8s.io/client-go/tools/cache"
	"k8s.io/client-go/tools/clientcmd"
	"sigs.k8s.io/yaml"
)
// a lot of code
// ....
// ...
// ..
// .

if data, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace"); err == nil {
		fmt.Println("data",data)
	}
	// listen for new secrets
	factory := kubeinformers.NewSharedInformerFactoryWithOptions(clientsetCore, 0, kubeinformers.WithNamespace(namespace()))
	informer := factory.Core().V1().Secrets().Informer()
	secrets := factory.Core().V1().Secrets().Lister()

var myKubeSecret string // will hold my secret

informer.AddEventHandler(cache.ResourceEventHandlerFuncs{
  AddFunc: func(new interface{}) {
    // get the secret
    var cpSecret = new.(*v1.Secret).DeepCopy()
     	if mySecret.GetName() == "argocd-credentials" {
				var cpData = *&cpSecret.Data
				for k, v := range cpData {
					clusterIP = kubeConfig.Clusters[0].Cluster.Server

					fmt.Println("cpData k:", k, "v:", v)
					switch k {
					case "authToken":
						fmt.Println("authToken:", v)

                    // ### HERE SHOULD BE THE VALUE OF A
                    // ### SECRET NAMED XXX in ns my-namespace 
                    myKubeSecret = // ### should a bearerToken string
					}
				}
			}
      }
}

I hope you get the idea..

Please also tell me which import libray is needed, if any.

答案1

得分: 2

如上所述,secret 对象位于一个命名空间中。它们只能被同一命名空间中的 Pod 引用。

如果您想在多个命名空间中使用该 secret,请将相同的 secret 复制到所需的命名空间中。

示例案例:

  • Kubernetes Secret: test-secret-1
  • 来源命名空间:testns1
  • 目标命名空间:testns2
  1. 使用管道符号 | 运算符
kubectl get secret test-secret-1 --namespace=testns1 -oyaml | grep -v ^\s*namespace:\s' |kubectl apply --namespace=testns2 -f -
  1. 使用 sed 命令
kubectl get secret test-secret-1 -n testns1 -o yaml | sed s/"namespace: testns1"/"namespace: testns2"/| kubectl 
apply -n testns2 -f -
  1. 导出 Kubernetes Secret 到 YAML 并应用 Secret
kubectl get secret test-secret-1 -n testns1 -o yaml
apiVersion: v1
data:
  password: dGVzdFBAc3N3b3Jk
  username: dGVzdC11c2Vy
kind: Secret
metadata:
  creationTimestamp: "2021-11-11T21:21:02Z"
  name: test-secret-1
  namespace: testns1 # 将命名空间更改为 testns2
  resourceVersion: "307939"
  uid: 6a8d9a6d-9648-4a39-a362-150e682c9a42
type: Opaque

https://jhooq.com/kubernetes-share-secrets-namespaces/

英文:

as mentioned above, secret object resides in a namespace. They can only be referenced by pods in that same namespace.

https://stackoverflow.com/questions/46297949/sharing-secret-across-namespaces

if you want to use the secret in multiple namespaces, copy the same secret into the desired namespaces.

example case

  • kubernetes secret: test-secret-1
  • namespace from: testns1
  • namespace to: testns2
  1. Using pipe "|" operator
kubectl get secret test-secret-1 --namespace=testns1 -oyaml | grep -v ^\s*namespace:\s' |kubectl apply --namespace=testns2 -f -
  1. Using sed command
kubectl get secret test-secret-1 -n testns1 -o yaml | sed s/"namespace: testns1"/"namespace: testns2"/| kubectl 
apply -n testns2 -f -
  1. Export kubernetes secret to yaml and apply secret
kubectl get secret test-secret-1 -n testns1 -o yaml
apiVersion: v1
data:
  password: dGVzdFBAc3N3b3Jk
  username: dGVzdC11c2Vy
kind: Secret
metadata:
  creationTimestamp: "2021-11-11T21:21:02Z"
  name: test-secret-1
  namespace: testns1 # change namespace to testns2
  resourceVersion: "307939"
  uid: 6a8d9a6d-9648-4a39-a362-150e682c9a42
type: Opaque

https://jhooq.com/kubernetes-share-secrets-namespaces/

答案2

得分: 1

你无法从与你发出请求的命名空间不同的命名空间中读取秘密。

英文:

You can't read a secret from a different namespace from where you are making the request.

答案3

得分: 0

通过"k8s.io/client-go/kubernetes",您可以获取密钥。完整示例请参见https://github.com/minio/operator/blob/master/pkg/controller/cluster/main-controller.go,类似于以下内容:

import (
	"k8s.io/client-go/kubernetes"
)

...

type Controller struct {

	// kubeClientSet是标准的Kubernetes客户端集
	kubeClientSet kubernetes.Interface
}

...

// 尝试仅获取csr-signer密钥,而不是来自openshift-kube-controller-manager-operator命名空间的整个列表
secret, _ := c.kubeClientSet.CoreV1().Secrets("openshift-kube-controller-manager-operator").Get(
	ctx, "csr-signer", metav1.GetOptions{})
英文:

Via "k8s.io/client-go/kubernetes" you can get the secret, full example in https://github.com/minio/operator/blob/master/pkg/controller/cluster/main-controller.go something similar to:

import (
	"k8s.io/client-go/kubernetes"
)

...

type Controller struct {

	// kubeClientSet is a standard kubernetes clientset
	kubeClientSet kubernetes.Interface
}

...

// Trying to get just the csr-signer secret not the entire list from openshift-kube-controller-manager-operator namespace
secret, _ := c.kubeClientSet.CoreV1().Secrets("openshift-kube-controller-manager-operator").Get(
	ctx, "csr-signer", metav1.GetOptions{})

huangapple
  • 本文由 发表于 2022年1月29日 18:14:45
  • 转载请务必保留本文链接:https://go.coder-hub.com/70904289.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定