英文:
Get a secret with k8s.io library
问题
我完全不了解Go语言和Kubernetes库k8s.io(https://github.com/kubernetes/client-go),并且试图弄清楚如何获取特定的密钥。
我有一个观察者,用于监视Secrets的变化。
我正在特定命名空间内迭代一个Secret列表。这部分是可以工作的,我也可以通过while循环对它们进行过滤。但是我不知道如何在循环中获取和搜索不同命名空间中的Secret。
我需要在命名空间"my-namespace"中获取名为XXX的密钥。
(我知道下面这行代码不存在,它只是概述我正在寻找的想法)我来自Ruby,所以我搜索了类似于这样的东西:
var myKubeSecret = kubernetes.V1().Secrets("my-namespace").Find("XXX")
是否存在类似上面那个函数的函数?
这是我目前的代码:它可以观察到命名空间"default"中的所有密钥。这部分是可以工作的。这个示例是从我搜索到的一个类似的代码中获取的,现在我正在尝试进行修改。
import (
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
kubeinformers "k8s.io/client-go/informers"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/tools/cache"
"k8s.io/client-go/tools/clientcmd"
"sigs.k8s.io/yaml"
)
// 很多代码
// ....
// ...
// ..
// .
if data, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace"); err == nil {
fmt.Println("data",data)
}
// 监听新的密钥
factory := kubeinformers.NewSharedInformerFactoryWithOptions(clientsetCore, 0, kubeinformers.WithNamespace(namespace()))
informer := factory.Core().V1().Secrets().Informer()
secrets := factory.Core().V1().Secrets().Lister()
var myKubeSecret string // 将保存我的密钥
informer.AddEventHandler(cache.ResourceEventHandlerFuncs{
AddFunc: func(new interface{}) {
// 获取密钥
var cpSecret = new.(*v1.Secret).DeepCopy()
if mySecret.GetName() == "argocd-credentials" {
var cpData = *&cpSecret.Data
for k, v := range cpData {
clusterIP = kubeConfig.Clusters[0].Cluster.Server
fmt.Println("cpData k:", k, "v:", v)
switch k {
case "authToken":
fmt.Println("authToken:", v)
// ### 这里应该是名为XXX的密钥在my-namespace命名空间中的值
myKubeSecret = // ### 应该是一个bearerToken字符串
}
}
}
}
}
希望你明白我的意思。
请告诉我还需要哪些import库,如果有的话。
英文:
I am totally new to Go and the Kubernetes library k8s.io (https://github.com/kubernetes/client-go) and try to figure out how to get a specific secret.
I have a kind of observer which watches changes of Secrets.
I am iterating through a Secretlist within a specific namespace. That works, I also can filter them by a while loop. But I do not know how to get and search a Secret in a different namespace which should be available in this loop.
I need a secret named XXX in namespace "my-namespace"
(I know that the following line does not exist, it should only outline the idea what I am looking for) I come from Ruby, so I searched for something like this :
var myKubeSecret = kubernetes.V1().Secrets("my-namespace").Find("XXX")
Exists like the function like that one above?
This is what I have: this observes all my secrets in namespace "default". Which works. That example was taken from a Code that does something similar I was searching for, and I try to modify now.:
import (
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
kubeinformers "k8s.io/client-go/informers"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/tools/cache"
"k8s.io/client-go/tools/clientcmd"
"sigs.k8s.io/yaml"
)
// a lot of code
// ....
// ...
// ..
// .
if data, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace"); err == nil {
fmt.Println("data",data)
}
// listen for new secrets
factory := kubeinformers.NewSharedInformerFactoryWithOptions(clientsetCore, 0, kubeinformers.WithNamespace(namespace()))
informer := factory.Core().V1().Secrets().Informer()
secrets := factory.Core().V1().Secrets().Lister()
var myKubeSecret string // will hold my secret
informer.AddEventHandler(cache.ResourceEventHandlerFuncs{
AddFunc: func(new interface{}) {
// get the secret
var cpSecret = new.(*v1.Secret).DeepCopy()
if mySecret.GetName() == "argocd-credentials" {
var cpData = *&cpSecret.Data
for k, v := range cpData {
clusterIP = kubeConfig.Clusters[0].Cluster.Server
fmt.Println("cpData k:", k, "v:", v)
switch k {
case "authToken":
fmt.Println("authToken:", v)
// ### HERE SHOULD BE THE VALUE OF A
// ### SECRET NAMED XXX in ns my-namespace
myKubeSecret = // ### should a bearerToken string
}
}
}
}
}
I hope you get the idea..
Please also tell me which import libray is needed, if any.
答案1
得分: 2
如上所述,secret 对象位于一个命名空间中。它们只能被同一命名空间中的 Pod 引用。
如果您想在多个命名空间中使用该 secret,请将相同的 secret 复制到所需的命名空间中。
示例案例:
- Kubernetes Secret: test-secret-1
- 来源命名空间:testns1
- 目标命名空间:testns2
- 使用管道符号
|运算符
kubectl get secret test-secret-1 --namespace=testns1 -oyaml | grep -v ^\s*namespace:\s' |kubectl apply --namespace=testns2 -f -
- 使用 sed 命令
kubectl get secret test-secret-1 -n testns1 -o yaml | sed s/"namespace: testns1"/"namespace: testns2"/| kubectl
apply -n testns2 -f -
- 导出 Kubernetes Secret 到 YAML 并应用 Secret
kubectl get secret test-secret-1 -n testns1 -o yaml
apiVersion: v1
data:
password: dGVzdFBAc3N3b3Jk
username: dGVzdC11c2Vy
kind: Secret
metadata:
creationTimestamp: "2021-11-11T21:21:02Z"
name: test-secret-1
namespace: testns1 # 将命名空间更改为 testns2
resourceVersion: "307939"
uid: 6a8d9a6d-9648-4a39-a362-150e682c9a42
type: Opaque
https://jhooq.com/kubernetes-share-secrets-namespaces/
英文:
as mentioned above, secret object resides in a namespace. They can only be referenced by pods in that same namespace.
https://stackoverflow.com/questions/46297949/sharing-secret-across-namespaces
if you want to use the secret in multiple namespaces, copy the same secret into the desired namespaces.
example case
- kubernetes secret: test-secret-1
- namespace from: testns1
- namespace to: testns2
- Using pipe "|" operator
kubectl get secret test-secret-1 --namespace=testns1 -oyaml | grep -v ^\s*namespace:\s' |kubectl apply --namespace=testns2 -f -
- Using sed command
kubectl get secret test-secret-1 -n testns1 -o yaml | sed s/"namespace: testns1"/"namespace: testns2"/| kubectl
apply -n testns2 -f -
- Export kubernetes secret to yaml and apply secret
kubectl get secret test-secret-1 -n testns1 -o yaml
apiVersion: v1
data:
password: dGVzdFBAc3N3b3Jk
username: dGVzdC11c2Vy
kind: Secret
metadata:
creationTimestamp: "2021-11-11T21:21:02Z"
name: test-secret-1
namespace: testns1 # change namespace to testns2
resourceVersion: "307939"
uid: 6a8d9a6d-9648-4a39-a362-150e682c9a42
type: Opaque
答案2
得分: 1
你无法从与你发出请求的命名空间不同的命名空间中读取秘密。
英文:
You can't read a secret from a different namespace from where you are making the request.
答案3
得分: 0
通过"k8s.io/client-go/kubernetes",您可以获取密钥。完整示例请参见https://github.com/minio/operator/blob/master/pkg/controller/cluster/main-controller.go,类似于以下内容:
import (
"k8s.io/client-go/kubernetes"
)
...
type Controller struct {
// kubeClientSet是标准的Kubernetes客户端集
kubeClientSet kubernetes.Interface
}
...
// 尝试仅获取csr-signer密钥,而不是来自openshift-kube-controller-manager-operator命名空间的整个列表
secret, _ := c.kubeClientSet.CoreV1().Secrets("openshift-kube-controller-manager-operator").Get(
ctx, "csr-signer", metav1.GetOptions{})
英文:
Via "k8s.io/client-go/kubernetes" you can get the secret, full example in https://github.com/minio/operator/blob/master/pkg/controller/cluster/main-controller.go something similar to:
import (
"k8s.io/client-go/kubernetes"
)
...
type Controller struct {
// kubeClientSet is a standard kubernetes clientset
kubeClientSet kubernetes.Interface
}
...
// Trying to get just the csr-signer secret not the entire list from openshift-kube-controller-manager-operator namespace
secret, _ := c.kubeClientSet.CoreV1().Secrets("openshift-kube-controller-manager-operator").Get(
ctx, "csr-signer", metav1.GetOptions{})
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论