Tom*_*Tom 0 bash makefile sed kubernetes
在Kubernetes中,秘密资源是base64编码的.这是官方文档中的示例yaml文件:
apiVersion: v1
kind: Secret
metadata:
name: test-secret
data:
USERNAME: bXktYXBwCg==
PASSWORD: YV44KXlcNzw4QUF4YWEoeV54
两个秘密数据的位置:用户名和密码是base64编码使用:
echo -n 'my-app' | base64
echo -n 'a^8)y\7<8AAxaa(y^x' | base64
我想要的工作流程是使用我的裸秘密的yaml文件版本,并且Makefile可以生成base64编码版本.
这是我遇到困难之前的所在:
输入(my-secrets-naked.yaml):
apiVersion: v1
kind: Secret
metadata:
name: test-secret
data:
USERNAME: my-app
PASSWORD: a^8)y\7<8AAxaa(y^x
的Makefile:
base64:
@echo "Computing base64 of secret values..."
cat my-secrets-naked.yaml | bash base64_secrets.sh > my-secrets-base64.yaml
该base64_secrets.sh脚本:
sed -r 's/(\s+[A-Z]\S+:\s*)(.*)/echo "\1$(echo -n "\2" | base64 -w0 )"/e;s/ -//'
命令: make base64
输出(my-secrets-base64.yaml):
apiVersion: v1
kind: Secret
metadata:
name: test-secret
data:
USERNAME: bXktYXBw
PASSWORD: YV44KXkHPDhBQXhhYSh5Xng=
理想情况下,我想要sed内部Makefile而不是单独的脚本,但我无法弄明白.但最重要的是,PASSWORD的base64是错误的!它会破坏带有反斜杠的秘密,在这种情况下\7会导致问题.我还无法弄清楚如何在仍然使用\2前面的后向引用的情况下回显非转义字符sed.(echo -E不起作用,它需要\2字面意思.也没有运气printf '%s' \2).
我知道这似乎是一个特定的问题 - 但对于所有Kubernetes用户来说,一个好的解决方案可能会有用吗?
如果我让这个工作流程工作,我打算扩展它,以便Makefile生成一个第三个文件,其秘密被编辑和散列,因此可以安全地在git中提交,同时仍然知道什么时候发生了变化.
我使用的是Ubuntu 16.04,sed(GNU sed)4.2.2.
考虑使用stringData字段而不是data字段,您可以传入未编码的值.它仍然会在data内部存储,并在查询时显示.
DESCRIPTION:
Secret holds secret data of a certain type. The total bytes of the values in the Data field must be less than MaxSecretSize bytes.
FIELDS:
type <string>
Used to facilitate programmatic handling of secret data.
apiVersion <string>
APIVersion defines the versioned schema of this representation of an
object. Servers should convert recognized schemas to the latest internal
value, and may reject unrecognized values. More info:
http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#resources
data <object>
Data contains the secret data. Each key must be a valid DNS_SUBDOMAIN or
leading dot followed by valid DNS_SUBDOMAIN. The serialized form of the
secret data is a base64 encoded string, representing the arbitrary (possibly
non-string) data value here. Described in
https://tools.ietf.org/html/rfc4648#section-4
kind <string>
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#types-kinds
metadata <Object>
Standard object's metadata. More info:
http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#metadata
stringData <object>
stringData allows specifying non-binary secret data in string form. It is
provided as a write-only convenience method. All keys and values are merged
into the data field on write, overwriting any existing values. It is never
output when reading from the API.
我建议使用JSON而不是YAML.
| 归档时间: |
|
| 查看次数: |
1637 次 |
| 最近记录: |