Reputation: 16094
Get a secret with k8s.io library
I am totally new to Go and the Kubernetes library k8s.io (https://github.com/kubernetes/client-go) and try to figure out how to get a specific secret.
I have a kind of observer which watches changes of Secrets.
I am iterating through a Secretlist within a specific namespace. That works, I also can filter them by a while loop. But I do not know how to get and search a Secret in a different namespace which should be available in this loop.
I need a secret named XXX in namespace "my-namespace" (I know that the following line does not exist, it should only outline the idea what I am looking for) I come from Ruby, so I searched for something like this :
var myKubeSecret = kubernetes.V1().Secrets("my-namespace").Find("XXX")
Exists like the function like that one above?
This is what I have: this observes all my secrets in namespace "default". Which works. That example was taken from a Code that does something similar I was searching for, and I try to modify now.:
import (
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
kubeinformers "k8s.io/client-go/informers"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/tools/cache"
"k8s.io/client-go/tools/clientcmd"
"sigs.k8s.io/yaml"
)
// a lot of code
// ....
// ...
// ..
// .
if data, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace"); err == nil {
fmt.Println("data",data)
}
// listen for new secrets
factory := kubeinformers.NewSharedInformerFactoryWithOptions(clientsetCore, 0, kubeinformers.WithNamespace(namespace()))
informer := factory.Core().V1().Secrets().Informer()
secrets := factory.Core().V1().Secrets().Lister()
var myKubeSecret string // will hold my secret
informer.AddEventHandler(cache.ResourceEventHandlerFuncs{
AddFunc: func(new interface{}) {
// get the secret
var cpSecret = new.(*v1.Secret).DeepCopy()
if mySecret.GetName() == "argocd-credentials" {
var cpData = *&cpSecret.Data
for k, v := range cpData {
clusterIP = kubeConfig.Clusters[0].Cluster.Server
fmt.Println("cpData k:", k, "v:", v)
switch k {
case "authToken":
fmt.Println("authToken:", v)
// ### HERE SHOULD BE THE VALUE OF A
// ### SECRET NAMED XXX in ns my-namespace
myKubeSecret = // ### should a bearerToken string
}
}
}
}
}
I hope you get the idea..
Please also tell me which import libray is needed, if any.
Upvotes: 3
Views: 8595
Answers (3)
Reputation: 306
Via "k8s.io/client-go/kubernetes" you can get the secret, full example in https://github.com/minio/operator/blob/master/pkg/controller/cluster/main-controller.go something similar to:
import (
"k8s.io/client-go/kubernetes"
)
...
type Controller struct {
// kubeClientSet is a standard kubernetes clientset
kubeClientSet kubernetes.Interface
}
...
// Trying to get just the csr-signer secret not the entire list from openshift-kube-controller-manager-operator namespace
secret, _ := c.kubeClientSet.CoreV1().Secrets("openshift-kube-controller-manager-operator").Get(
ctx, "csr-signer", metav1.GetOptions{})
Upvotes: 0
Reputation: 23
as mentioned above, secret object resides in a namespace. They can only be referenced by pods in that same namespace.
Sharing secret across namespaces
if you want to use the secret in multiple namespaces, copy the same secret into the desired namespaces.
example case
- kubernetes secret: test-secret-1
- namespace from: testns1
- namespace to: testns2
- Using pipe "|" operator
kubectl get secret test-secret-1 --namespace=testns1 -oyaml | grep -v ^\s*namespace:\s' |kubectl apply --namespace=testns2 -f -
- Using sed command
kubectl get secret test-secret-1 -n testns1 -o yaml | sed s/"namespace: testns1"/"namespace: testns2"/| kubectl
apply -n testns2 -f -
- Export kubernetes secret to yaml and apply secret
kubectl get secret test-secret-1 -n testns1 -o yaml
apiVersion: v1
data:
password: dGVzdFBAc3N3b3Jk
username: dGVzdC11c2Vy
kind: Secret
metadata:
creationTimestamp: "2021-11-11T21:21:02Z"
name: test-secret-1
namespace: testns1 # change namespace to testns2
resourceVersion: "307939"
uid: 6a8d9a6d-9648-4a39-a362-150e682c9a42
type: Opaque
https://jhooq.com/kubernetes-share-secrets-namespaces/
Upvotes: 2
Reputation: 21
You can't read a secret from a different namespace from where you are making the request.
Upvotes: 1
Related Questions
- How to create docker Secret with client-go
- How to access my pod in k8s using go-client
- how to access go templated kubernetes secret in manifest
- Setting ConfigMapRef and SecretRef for Deployment in Golang K8s client
- Mounting a k8s secret using kustomize
- Issue creating a Secret in Kubernetes using the Golang client
- K8S Read config map via go API
- using k8s go-client locally to connect to cluster
- How to use golang api to do external authentication to kubernetes without kubeconfig file?
- not able to get the client-go from k8s