How to validate Kubernetes secrets for TIBCO ModelOps
Article ID: KB0071918
Updated On:
| Products | Versions |
|---|---|
| TIBCO ModelOps | 1.2 |
Description
Some Kubernetes (K8s) secrets need to be created for your ModelOps-related pods/services. These secrets are typically created using values obtained from environment variables you've set. For example:
How can this secret be inspected to confirm that the expected environment variable substitutions have been made?
kubectl create secret generic externaldns-config --from-literal=azure.json=^
"{ \"tenantId\": \"%AZ_TENANT_ID%\", ^
\"subscriptionId\": \"%AZ_SUBSCRIPTION_ID%\", ^
\"resourceGroup\": \"%AZ_GROUP_NAME%\", ^
\"aadClientId\": \"%AZ_SERVICE_PRINCIPAL_ID%\", ^
\"aadClientSecret\": \"%AZ_APP_SECRET%\" }"
How can this secret be inspected to confirm that the expected environment variable substitutions have been made?
Issue/Introduction
Provides the steps needed to extract values from a Kubernetes secret that you've created for ModelOps services. This can help validate configuration values that relate to your cloud environment. In this article, an example is provided for Microsoft Azure.
Resolution
Use kubectl to get the base64 representation of the secret's JSON:
Then decode the value of 'azure.json' using certutil (Windows) or base64 (Linux).
Windows Example:
Linux example:
kubectl get secret externaldns-config -o yaml apiVersion: v1 data: azure.json: eyAidGVuYW50SWQiOiAiY2dlNmZhMzMtZGNiMy01ODcyLW9nMDEtNDg0M2M0Mjdr ZGx3IiwgInN1YnNjcmlwdGlvbklkIjogImNhZGJiZzg1LTdkMzUtMzAyZS03MzcxLTRhYjllMmEyNzMyM CIsICJyZXNvdXJjZUdyb3VwIjogIkF6dXJlUkciLCAiYWFkQ2xpZW50SWQiOiAiNTdmZGFjMzEtYmFmN S00MmNiLTkwMGQtNzZhMzY0ZTQ3NzFmIiwgImFhZENsaWVudFNlY3JldCI6ICJXd0U3Rn5IYXR+Vk t1ZXkxZENsejR6MWVYbEl2fmtlVHhaSE02Y0Q3IiB9 kind: Secret metadata: creationTimestamp: "2022-10-14T13:56:22Z" name: externaldns-config namespace: modelops12 resourceVersion: "2532" uid: a2748f8a-8c20-4a13-a859-55737fdc479e type: Opaque
Then decode the value of 'azure.json' using certutil (Windows) or base64 (Linux).
Windows Example:
echo eyAidGVuYW50SWQiOiAiY2dlNmZhMzMtZGNiMy01ODcyLW9nMDEtNDg0M2M0MjdrZGx3IiwgInN1YnNjcmlwd
GlvbklkIjogImNhZGJiZzg1LTdkMzUtMzAyZS03MzcxLTRhYjllMmEyNzMyMCIsICJyZXNvdXJjZUdyb3VwIjogIkF6dXJlU
kciLCAiYWFkQ2xpZW50SWQiOiAiNTdmZGFjMzEtYmFmNS00MmNiLTkwMGQtNzZhMzY0ZTQ3NzFmIiwgImFhZENsa
WVudFNlY3JldCI6ICJXd0U3Rn5IYXR+Vkt1ZXkxZENsejR6MWVYbEl2fmtlVHhaSE02Y0Q3IiB9 > b64-secret-json.txt
certutil -decode b64-secret-json.txt secret-json.txt
type secret-json.txt | jq .
{
"tenantId": "cge6fa33-dcb3-5872-og01-4843c427kdlw",
"subscriptionId": "cadbbg85-7d35-302e-7371-4ab9e2a27320",
"resourceGroup": "AzureRG",
"aadClientId": "57fdac31-baf5-42cb-900d-76a364e4771f",
"aadClientSecret": "WwE7F~Hat~VKuey1dClz4z1eXlIv~keTxZHM6cD7"
}
Linux example:
echo eyAidGVuYW50SWQiOiAiY2dlNmZhMzMtZGNiMy01ODcyLW9nMDEtNDg0M2M0MjdrZGx3IiwgInN1YnNjcmlwd
GlvbklkIjogImNhZGJiZzg1LTdkMzUtMzAyZS03MzcxLTRhYjllMmEyNzMyMCIsICJyZXNvdXJjZUdyb3VwIjogIkF6dXJlU
kciLCAiYWFkQ2xpZW50SWQiOiAiNTdmZGFjMzEtYmFmNS00MmNiLTkwMGQtNzZhMzY0ZTQ3NzFmIiwgImFhZENsa
WVudFNlY3JldCI6ICJXd0U3Rn5IYXR+Vkt1ZXkxZENsejR6MWVYbEl2fmtlVHhaSE02Y0Q3IiB9 | base64 --decode | jq .
{
"tenantId": "cge6fa33-dcb3-5872-og01-4843c427kdlw",
"subscriptionId": "cadbbg85-7d35-302e-7371-4ab9e2a27320",
"resourceGroup": "AzureRG",
"aadClientId": "57fdac31-baf5-42cb-900d-76a364e4771f",
"aadClientSecret": "WwE7F~Hat~VKuey1dClz4z1eXlIv~keTxZHM6cD7"
}
Feedback
Yes
No
Powered by
