在建立新集群时,我不小心删除了分段集群/项目中cloudsql-oauth-credentials的秘密。有没有办法从“ gcloud”或cloudSQL控制台重新获取并安装这些文件?我可能有一个看起来像这样的原始副本(已删除了私人内容):
{
"type": "service_account",
"project_id": "able-XXXXX-XXXXX",
"private_key_id": "8adcffXXXX",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvwIXXXXXXXXXX==\n-----END PRIVATE KEY-----\n",
"client_email": "xxxx-service-account-sql-cli@able-xxxx.iam.gserviceaccount.com",
"client_id": "10905637232xxxxx",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/notify-service-account-sql-cli%40ablexxxxx.iam.gserviceaccount.com"
}
我希望可以将其用于:
kubectl create secret generic cloudsql-oauth-credentials --from-literal="credentials.json=`cat build/cloudsql-oauth-credentials.json`"
注意:这是在GCP部署中使用GCP上的标准sidecar代理配置。
答案 0 :(得分:0)
跟进, 经过一番困惑之后,我发现我连接到Pod中的错误容器,这就是为什么我找不到cloudsql凭据的秘密的原因。我可以通过这样的卷挂载在我的pod中找到凭据:
kubectl exec engine-cron-prod-deployment-788ddb4b8-bxmz9 -c postgres-proxy -it -- /bin/sh
/ # ls /secrets/cloudsql/
credentials.json
/ # cat /secrets/cloudsql/credentials.json
{
"type": "service_account",
[..stuff deleted..]
此结果与我保存的文件匹配,因此我的keyfile.json(又名cloudsql-oauth-credentials.json)是正确的文件。
请清楚一点,我的部署yaml中的sidecar模式如下所示:
spec:
volumes:
- name: ssl-certs
hostPath:
path: /etc/ssl/certs
- name: cloudsql-oauth-credentials
secret:
secretName: cloudsql-oauth-credentials
- name: cloudsql
emptyDir:
containers:
- name: postgres-proxy
image: gcr.io/cloudsql-docker/gce-proxy:1.09
imagePullPolicy: Always
command: ["/cloud_sql_proxy",
"--dir=/cloudsql",
"-instances=@@PROJECT@@:us-central1:@@DBINST@@=tcp:5432",
"-credential_file=/secrets/cloudsql/credentials.json"]
volumeMounts:
- name: cloudsql-oauth-credentials
mountPath: /secrets/cloudsql
readOnly: true
- name: ssl-certs
mountPath: /etc/ssl/certs
- name: cloudsql
mountPath: /cloudsql
结论:
编辑:为了完整起见,还可以检索并存储其秘密以安全地作为备份。通过使用get -o json,您可以将credentials.json恢复为base64编码的文本。
$kubectl get -o json secret cloudsql-oauth-credentials
{
"apiVersion": "v1",
"data": {
"credentials.json": "ewogICJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsCiAgInByb2plY3RfaWQiOiAiYW...."
},
"kind": "Secret",
"metadata": {
"creationTimestamp": "2019-01-03T01:32:49Z",
"name": "cloudsql-oauth-credentials",
"namespace": "default",
"resourceVersion": "12078",
"selfLink": "/api/v1/namespaces/default/secrets/cloudsql-oauth-credentials",
"uid": "7af2bdde-0ef7-11e9-92bd-123123123123"
},
"type": "Opaque"
}
可以轻松地解码和保存base64文本:
$ base64 -d < credentials.json.b64 | tee credentials.json
{
"type": "service_account",
"project_id": "xxx-xxx-xxx",
"private_key_id": "abc123abc123abc123abc123abc123abc123",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9...==\n-----END PRIVATE KEY-----\n",
"client_email": "xxx-service-account-sql-cli@xxx-xxx-xxx.iam.gserviceaccount.com",
"client_id": "321321321321321321",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/xxx-xxx-account-sql-cli%40xxx-xxx-xxx.iam.gserviceaccount.com"
}