[英]Pulumi: retrieve kubernetes secret value
I have a service with an inline plaintext config that requires certain information that is stored in Kubernetes secrets. 我有一个带有内联纯文本配置的服务,该服务需要存储在Kubernetes机密中的某些信息。 What
@pulumi/kubernetes
API method can be used to access raw kubernetes secret values? 什么
@pulumi/kubernetes
API方法可用于访问原始kubernetes秘密值?
The short answer is that I think it doesn't let you see a secret but use a reference where you want to use it: Deployments, StatefulSets, DaemonSets, Pods, etc. It would make sense from the security point of view. 简短的答案是,我认为它不会让您看到秘密,而是要在要使用的地方使用参考:部署,StatefulSet,DaemonSet,Pods等。从安全角度来看,这是有意义的。
You can see an example of create a secret here 您可以在此处查看创建秘密的示例
That API looks like it mirrors the Kubernetes API , and in particular there is a core/v1.Secret object that includes the secret data
. 该API看起来像是Kubernetes API的镜像,特别是有一个core / v1.Secret对象,其中包含秘密
data
。 The values are base64-encoded. 这些值是base64编码的。
(Unless RBAC forbids it, you can generally kubectl get secret -o yaml secretname
to see the same thing...Kubernetes secrets are only so secret.) (除非RBAC禁止这样做,否则通常您可以通过
kubectl get secret -o yaml secretname
来查看相同的内容... Kubernetes密码是如此秘密。)
If you're running this in the context of a service it's probably easier to launch the service with environment variables set from the relevant secret values , using a YAML fragment like 如果您是在服务的上下文中运行此命令,则可能会更方便地使用从相关秘密值设置的环境变量启动服务,例如使用YAML片段
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: test-secret
key: username
Use k8s.core.v1.Secret.get(pulumiName, secretName)
( secretName
can contain the namespace/
as prefix ). 使用
k8s.core.v1.Secret.get(pulumiName, secretName)
( secretName
可以包含namespace/
作为前缀 )。
Every Pulumi resource has a get()
method . 每个Pulumi资源都有一个
get()
方法 。
For example: Get the token
from a kubernetes.io/service-account-token
: 例如:从
kubernetes.io/service-account-token
获取token
:
import * as k8s from "@pulumi/kubernetes";
type KubernetesSecretData = { [key: string]: string }
const namespace = 'kube-public'
const secretName = 'default-token-tdcdz'
export const token =
k8s.core.v1.Secret.get('testSecret',`${namespace}/${secretName}`)
.data.apply(v => {
return (<KubernetesSecretData> v)["token"]
})
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.