How to validate Kubernetes secrets for TIBCO ModelOps

How to validate Kubernetes secrets for TIBCO ModelOps

book

Article ID: KB0071918

calendar_today

Updated On:

Products Versions
TIBCO ModelOps 1.2

Description

Some Kubernetes (K8s) secrets need to be created for your ModelOps-related pods/services. These secrets are typically created using values obtained from environment variables you've set. For example:
  

kubectl create secret generic externaldns-config --from-literal=azure.json=^
"{ \"tenantId\": \"%AZ_TENANT_ID%\", ^
\"subscriptionId\": \"%AZ_SUBSCRIPTION_ID%\", ^
\"resourceGroup\": \"%AZ_GROUP_NAME%\", ^
\"aadClientId\": \"%AZ_SERVICE_PRINCIPAL_ID%\", ^
\"aadClientSecret\": \"%AZ_APP_SECRET%\" }"

How can this secret be inspected to confirm that the expected environment variable substitutions have been made?

Resolution

Use kubectl to get the base64 representation of the secret's JSON:
  
kubectl get secret externaldns-config -o yaml

apiVersion: v1
data:
  azure.json: eyAidGVuYW50SWQiOiAiY2dlNmZhMzMtZGNiMy01ODcyLW9nMDEtNDg0M2M0Mjdr
ZGx3IiwgInN1YnNjcmlwdGlvbklkIjogImNhZGJiZzg1LTdkMzUtMzAyZS03MzcxLTRhYjllMmEyNzMyM
CIsICJyZXNvdXJjZUdyb3VwIjogIkF6dXJlUkciLCAiYWFkQ2xpZW50SWQiOiAiNTdmZGFjMzEtYmFmN
S00MmNiLTkwMGQtNzZhMzY0ZTQ3NzFmIiwgImFhZENsaWVudFNlY3JldCI6ICJXd0U3Rn5IYXR+Vk
t1ZXkxZENsejR6MWVYbEl2fmtlVHhaSE02Y0Q3IiB9
kind: Secret
metadata:
  creationTimestamp: "2022-10-14T13:56:22Z"
  name: externaldns-config
  namespace: modelops12
  resourceVersion: "2532"
  uid: a2748f8a-8c20-4a13-a859-55737fdc479e
type: Opaque

Then decode the value of 'azure.json' using certutil (Windows) or base64 (Linux).

Windows Example:
  
echo eyAidGVuYW50SWQiOiAiY2dlNmZhMzMtZGNiMy01ODcyLW9nMDEtNDg0M2M0MjdrZGx3IiwgInN1YnNjcmlwd
GlvbklkIjogImNhZGJiZzg1LTdkMzUtMzAyZS03MzcxLTRhYjllMmEyNzMyMCIsICJyZXNvdXJjZUdyb3VwIjogIkF6dXJlU
kciLCAiYWFkQ2xpZW50SWQiOiAiNTdmZGFjMzEtYmFmNS00MmNiLTkwMGQtNzZhMzY0ZTQ3NzFmIiwgImFhZENsa
WVudFNlY3JldCI6ICJXd0U3Rn5IYXR+Vkt1ZXkxZENsejR6MWVYbEl2fmtlVHhaSE02Y0Q3IiB9 > b64-secret-json.txt

certutil -decode b64-secret-json.txt secret-json.txt

type secret-json.txt | jq .

{
  "tenantId": "cge6fa33-dcb3-5872-og01-4843c427kdlw",
  "subscriptionId": "cadbbg85-7d35-302e-7371-4ab9e2a27320",
  "resourceGroup": "AzureRG",
  "aadClientId": "57fdac31-baf5-42cb-900d-76a364e4771f",
  "aadClientSecret": "WwE7F~Hat~VKuey1dClz4z1eXlIv~keTxZHM6cD7"
}

Linux example:
  
echo eyAidGVuYW50SWQiOiAiY2dlNmZhMzMtZGNiMy01ODcyLW9nMDEtNDg0M2M0MjdrZGx3IiwgInN1YnNjcmlwd
GlvbklkIjogImNhZGJiZzg1LTdkMzUtMzAyZS03MzcxLTRhYjllMmEyNzMyMCIsICJyZXNvdXJjZUdyb3VwIjogIkF6dXJlU
kciLCAiYWFkQ2xpZW50SWQiOiAiNTdmZGFjMzEtYmFmNS00MmNiLTkwMGQtNzZhMzY0ZTQ3NzFmIiwgImFhZENsa
WVudFNlY3JldCI6ICJXd0U3Rn5IYXR+Vkt1ZXkxZENsejR6MWVYbEl2fmtlVHhaSE02Y0Q3IiB9 | base64 --decode | jq .

{
  "tenantId": "cge6fa33-dcb3-5872-og01-4843c427kdlw",
  "subscriptionId": "cadbbg85-7d35-302e-7371-4ab9e2a27320",
  "resourceGroup": "AzureRG",
  "aadClientId": "57fdac31-baf5-42cb-900d-76a364e4771f",
  "aadClientSecret": "WwE7F~Hat~VKuey1dClz4z1eXlIv~keTxZHM6cD7"
}


 

Issue/Introduction

Provides the steps needed to extract values from a Kubernetes secret that you've created for ModelOps services. This can help validate configuration values that relate to your cloud environment. In this article, an example is provided for Microsoft Azure.
Powered by Wolken Software