How to validate Kubernetes secrets for TIBCO ModelOps

How to validate Kubernetes secrets for TIBCO ModelOps

book

Article ID: KB0071918

calendar_today

Updated On:

Products Versions
TIBCO ModelOps 1.2

Description

Some Kubernetes (K8s) secrets need to be created for your ModelOps-related pods/services. These secrets are typically created using values obtained from environment variables you've set. For example:
 

kubectl create secret generic externaldns-config --from-literal=azure.json=^
"{ \"tenantId\": \"%AZ_TENANT_ID%\", ^
\"subscriptionId\": \"%AZ_SUBSCRIPTION_ID%\", ^
\"resourceGroup\": \"%AZ_GROUP_NAME%\", ^
\"aadClientId\": \"%AZ_SERVICE_PRINCIPAL_ID%\", ^
\"aadClientSecret\": \"%AZ_APP_SECRET%\" }"

How can this secret be inspected to confirm that the expected environment variable substitutions have been made?

Resolution

Use kubectl to get the base64 representation of the secret's JSON:
 
kubectl get secret externaldns-config -o yaml

apiVersion: v1
data:
  azure.json: eyAidGVuYW50SWQiOiAiY2dlNmZhMzMtZGNiMy01ODcyLW9nMDEtNDg0M2M0Mjdr
ZGx3IiwgInN1YnNjcmlwdGlvbklkIjogImNhZGJiZzg1LTdkMzUtMzAyZS03MzcxLTRhYjllMmEyNzMyM
CIsICJyZXNvdXJjZUdyb3VwIjogIkF6dXJlUkciLCAiYWFkQ2xpZW50SWQiOiAiNTdmZGFjMzEtYmFmN
S00MmNiLTkwMGQtNzZhMzY0ZTQ3NzFmIiwgImFhZENsaWVudFNlY3JldCI6ICJXd0U3Rn5IYXR+Vk
t1ZXkxZENsejR6MWVYbEl2fmtlVHhaSE02Y0Q3IiB9
kind: Secret
metadata:
  creationTimestamp: "2022-10-14T13:56:22Z"
  name: externaldns-config
  namespace: modelops12
  resourceVersion: "2532"
  uid: a2748f8a-8c20-4a13-a859-55737fdc479e
type: Opaque

Then decode the value of 'azure.json' using certutil (Windows) or base64 (Linux).

Windows Example:
 
echo eyAidGVuYW50SWQiOiAiY2dlNmZhMzMtZGNiMy01ODcyLW9nMDEtNDg0M2M0MjdrZGx3IiwgInN1YnNjcmlwd
GlvbklkIjogImNhZGJiZzg1LTdkMzUtMzAyZS03MzcxLTRhYjllMmEyNzMyMCIsICJyZXNvdXJjZUdyb3VwIjogIkF6dXJlU
kciLCAiYWFkQ2xpZW50SWQiOiAiNTdmZGFjMzEtYmFmNS00MmNiLTkwMGQtNzZhMzY0ZTQ3NzFmIiwgImFhZENsa
WVudFNlY3JldCI6ICJXd0U3Rn5IYXR+Vkt1ZXkxZENsejR6MWVYbEl2fmtlVHhaSE02Y0Q3IiB9 > b64-secret-json.txt

certutil -decode b64-secret-json.txt secret-json.txt

type secret-json.txt | jq .

{
  "tenantId": "cge6fa33-dcb3-5872-og01-4843c427kdlw",
  "subscriptionId": "cadbbg85-7d35-302e-7371-4ab9e2a27320",
  "resourceGroup": "AzureRG",
  "aadClientId": "57fdac31-baf5-42cb-900d-76a364e4771f",
  "aadClientSecret": "WwE7F~Hat~VKuey1dClz4z1eXlIv~keTxZHM6cD7"
}

Linux example:
 
echo eyAidGVuYW50SWQiOiAiY2dlNmZhMzMtZGNiMy01ODcyLW9nMDEtNDg0M2M0MjdrZGx3IiwgInN1YnNjcmlwd
GlvbklkIjogImNhZGJiZzg1LTdkMzUtMzAyZS03MzcxLTRhYjllMmEyNzMyMCIsICJyZXNvdXJjZUdyb3VwIjogIkF6dXJlU
kciLCAiYWFkQ2xpZW50SWQiOiAiNTdmZGFjMzEtYmFmNS00MmNiLTkwMGQtNzZhMzY0ZTQ3NzFmIiwgImFhZENsa
WVudFNlY3JldCI6ICJXd0U3Rn5IYXR+Vkt1ZXkxZENsejR6MWVYbEl2fmtlVHhaSE02Y0Q3IiB9 | base64 --decode | jq .

{
  "tenantId": "cge6fa33-dcb3-5872-og01-4843c427kdlw",
  "subscriptionId": "cadbbg85-7d35-302e-7371-4ab9e2a27320",
  "resourceGroup": "AzureRG",
  "aadClientId": "57fdac31-baf5-42cb-900d-76a364e4771f",
  "aadClientSecret": "WwE7F~Hat~VKuey1dClz4z1eXlIv~keTxZHM6cD7"
}


 

Issue/Introduction

Provides the steps needed to extract values from a Kubernetes secret that you've created for ModelOps services. This can help validate configuration values that relate to your cloud environment. In this article, an example is provided for Microsoft Azure.