봉인된 비밀 - 생성, 이름 바꾸기, 업데이트 및 삭제

5913 단어 kubernetesaddonsecret
Bitnami 봉인된 비밀에는 단순하지만 관련된 여러 이동 부품으로 인해 간단하지 않은 수명 주기가 있습니다.


만들다



# Assuming sealed-secrets was created with the helm chart way described in the previous post
❯ kubectl create secret generic db-creds --from-literal=user=adam --from-literal=password=paSSwoRD --dry-run=client -o yaml | kubeseal --controller-namespace=sealed-secrets --controller-name=ss-app-sealed-secrets -o yaml | kubectl apply -f -
sealedsecret.bitnami.com/db-creds created

❯ kubectl get sealedsecrets.bitnami.com
NAME       AGE
db-creds   10s

# also created is a kubernetes secret named "db-creds"
❯ kubectl get secrets
NAME                  TYPE                                  DATA   AGE
db-creds              Opaque                                2      17s
default-token-j8wnt   kubernetes.io/service-account-token   3      6h11m




이름 바꾸기

정상적인 상황에서 봉인된 비밀의 이름을 바꾸면 암호 해독이 실패합니다. 왜냐하면 기본strict 모드에서 암호화/암호 해독의 일부이기 때문입니다.

❯ kubectl create secret generic db-creds-alpha --from-literal=user=adam --from-literal=password=paSSwoRD --dry-run=client -o yaml | kubeseal --controller-namespace=sealed-secrets --controller-name=ss-app-sealed-secrets -o yaml | kubectl apply -f -
sealedsecret.bitnami.com/db-creds-alpha created

❯ kubectl get sealedsecrets.bitnami.com
NAME             AGE
db-creds-alpha   84s

# try editing the name from "db-creds-alpha" to "db-creds-beta"
❯ kubectl edit sealedsecrets.bitnami.com/db-creds-alpha
A copy of your changes has been stored to "/var/folders/1w/9brxn3wn27b3xgk2t7hj5ns40000gn/T/kubectl-edit-1525276124.yaml"
error: At least one of apiVersion, kind and name was changed



비밀의 이름을 바꿀 수 있으려면 범위를 namespace-wide 또는 cluster-wide로 지정해야 합니다.

❯ kubectl create secret generic db-creds-alpha --from-literal=user=adam --from-literal=password=paSSwoRD --dry-run=client -o yaml | kubeseal --controller-namespace=sealed-secrets --controller-name=ss-app-sealed-secrets --scope=namespace-wide -o yaml | kubectl apply -f -
sealedsecret.bitnami.com/db-creds-alpha created

# edit name from "db-creds-alpha" to "db-creds-beta"
❯ vi /tmp/ss.yaml

# apply and verify
❯ k apply -f /tmp/ss.yaml
sealedsecret.bitnami.com/db-creds-beta created

# a new secret with the new name is created
❯ k get sealedsecrets.bitnami.com
NAME             AGE
db-creds-alpha   3m4s
db-creds-beta    7s





업데이트



# assume sealed-secret is in sealed-secret.yamlecho -n adminDatabase | kubectl create secret generic mysecret --dry-run=client --from-file=db_name=/dev/stdin -o yaml | kubeseal --controller-namespace=sealed-secrets --controller-name=ss-app-sealed-secrets --merge-into sealed-secret.yaml

❯ kubectl apply -f sealed-secret.yaml
sealedsecret.bitnami.com/db-creds configured

❯ k get secret db-creds -o json | jq ".data | map_values(@base64d)"
{
  "db_name": "adminDatabase",
  "password": "paSSwoRD",
  "user": "adam"
}




삭제



❯ kubectl delete sealedsecrets.bitnami.com db-creds
sealedsecret.bitnami.com "db-creds" deleted

# Note: this also deletes the kubernetes secret named "db-creds"

좋은 웹페이지 즐겨찾기