/
shell-pod-secret.yaml
93 lines (93 loc) · 3.26 KB
/
shell-pod-secret.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
apiVersion: v1
kind: ServiceAccount
metadata:
name: mongodb-secret-access-sa
namespace: mongo-testing
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: mongodb-secret-access-cr
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods", "secrets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: mongodb-secret-access-rb
subjects:
- kind: ServiceAccount
name: mongodb-secret-access-sa
namespace: mongo-testing
roleRef:
kind: ClusterRole
name: mongodb-secret-access-cr
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: Secret
metadata:
name: stuff
stringData:
foo: "this is the stuff secret foo"
type: Opaque
---
apiVersion: v1
kind: Pod
metadata:
name: shell-demo-secret
spec:
serviceAccountName: mongodb-secret-access-sa
volumes:
- name: shared-data
emptyDir: {}
initContainers:
- name: centos-debug
image: centos
command:
- /bin/sh
- -c
- |
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
K8S="https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}"
CACERT="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
export SECRET_NAME="${MMS_OPENSHIFT_SECRET_NAME}"
export SECRET_KEY="${MMS_OPENSHIFT_SECRET_KEY_NAME}"
echo "Contacting ${K8S} in namespace '${NAMESPACE}' for secret '${SECRET_NAME}.${SECRET_KEY}'"
SECRET_STUFF=$(curl -vvvsSk --cacert $CACERT -H "Authorization: Bearer ${TOKEN}" ${K8S}/api/v1/namespaces/${NAMESPACE}/secrets/${SECRET_NAME})
echo "SECRET_STUFF=${SECRET_STUFF}"
# Check that we got a secret, if not we'll get a 'kind: Status'
KIND=$(echo ${SECRET_STUFF} | python -c 'import sys,json,base64,os;r=json.load(sys.stdin); print r["kind"]')
if [ "${KIND}" == "Secret" ]; then SECRET_VALUE=$(echo ${SECRET_STUFF} | python -c 'import sys,json,base64,os;r=json.load(sys.stdin);print base64.b64decode(r["data"][os.environ["SECRET_KEY"]])'); echo "The value for '${SECRET_KEY}' in the '${SECRET_NAME}' secret is '${SECRET_VALUE}'"; fi
if [ "${KIND}" == "Status" ]; then echo "${SECRET_STUFF}"; fi
echo "Now let's try to create a secret, 'jimmy'='eats up the world!'"
temp=$(mktemp)
echo '{ "kind": "Secret", "apiVersion": "v1", "metadata": { "name": "dynostuff" }, "stringData": { "jimmy": "eats up the world!" } }' > ${temp}
curl -k -X POST -H "Authorization: Bearer $TOKEN" -H 'Accept: application/json' -H 'Content-Type: application/json' ${K8S}/api/v1/namespaces/$NAMESPACE/secrets --data "@${temp}"
if [ "1" == "1" ];
then
echo "OK --- sweet, we can to multiline if statements!"
fi
env:
- name: MMS_OPENSHIFT_SECRET_NAME
value: "stuff"
- name: MMS_OPENSHIFT_SECRET_KEY_NAME
value: "foo"
containers:
- name: centos-secret-user
image: centos
command:
- /bin/sh
- -c
- |
echo "Hello, we found that 'secret_dynostuff_jimmy' is '${secret_dynostuff_jimmy}'"
sleep 1000
env:
- name: secret_dynostuff_jimmy
valueFrom:
secretKeyRef:
key: jimmy
name: dynostuff