0

在启动新集群时,我不小心删除了暂存集群/项目中 cloudsql-oauth-credentials 的机密。有没有办法从“gcloud”或cloudSQL控制台重新获取和安装这些?我可能有一份看起来像这样的原件副本(删除了私人内容):

{                                                                                                                                                                                                                                                                                                                                                                                          
  "type": "service_account",
  "project_id": "able-XXXXX-XXXXX",
  "private_key_id": "8adcffXXXX",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvwIXXXXXXXXXX==\n-----END PRIVATE KEY-----\n",
  "client_email": "xxxx-service-account-sql-cli@able-xxxx.iam.gserviceaccount.com",
  "client_id": "10905637232xxxxx",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/notify-service-account-sql-cli%40ablexxxxx.iam.gserviceaccount.com"
}

我希望我可以使用它:

kubectl create  secret generic cloudsql-oauth-credentials --from-literal="credentials.json=`cat build/cloudsql-oauth-credentials.json`"

注意:这是在 GCP 上使用标准 Sidecar 代理配置进行 GKE 部署。

4

1 回答 1

0

跟进,经过一番困惑后,我发现我连接到了我的 pod 中的错误容器,这就是为什么我找不到 cloudsql 凭据的秘密。我能够通过这样的卷挂载在我的 pod 中找到凭据:

kubectl exec engine-cron-prod-deployment-788ddb4b8-bxmz9 -c postgres-proxy -it -- /bin/sh
/ # ls /secrets/cloudsql/                                                                                                                                                                                                                                                                  
credentials.json                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          
/ # cat /secrets/cloudsql/credentials.json                                                                                                                                                                                                                                                 
{                                                                                                                                                                                                                                                                                          
  "type": "service_account",
  [..stuff deleted..]

这个结果与我保存的文件相匹配,所以我的 keyfile.json(又名 cloudsql-oauth-credentials.json)是正确的。

为了清楚起见,我的部署 yaml 中的 sidecar 模式看起来像这样:

spec:
  volumes:
  - name: ssl-certs
    hostPath:
      path: /etc/ssl/certs
  - name: cloudsql-oauth-credentials
    secret:
      secretName: cloudsql-oauth-credentials
  - name: cloudsql
    emptyDir:
  containers:
  - name: postgres-proxy
    image: gcr.io/cloudsql-docker/gce-proxy:1.09
    imagePullPolicy: Always
    command: ["/cloud_sql_proxy",
              "--dir=/cloudsql",
              "-instances=@@PROJECT@@:us-central1:@@DBINST@@=tcp:5432",
              "-credential_file=/secrets/cloudsql/credentials.json"]
    volumeMounts:
      - name: cloudsql-oauth-credentials
        mountPath: /secrets/cloudsql
        readOnly: true
      - name: ssl-certs
        mountPath: /etc/ssl/certs
      - name: cloudsql
        mountPath: /cloudsql

结论:

  • 无论如何,总是可以删除服务帐户并创建一个新帐户以获取凭据,然后将该帐户添加到正确的角色(对于 cloudsql)并重新开始,尽管这会有些痛苦和耗时。
  • 可以将这些凭证与其他 GKE 集群重复使用以连接到同一个 cloudsql 数据库,或者可以创建具有相同角色但一组单独的凭证的新服务帐户。

编辑:为了完整起见,人们还可以检索和存储他们的秘密,以便安全保存作为备份。通过使用get -o json,您将恢复credentials.json为 base64 编码的文本。

$kubectl get -o json secret cloudsql-oauth-credentials                                                                                                                                                                                                                                                                                               
{                                                                                                                                                                                                                                                                                                                                                                                       
    "apiVersion": "v1",
    "data": {
        "credentials.json": "ewogICJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsCiAgInByb2plY3RfaWQiOiAiYW...."
    },
    "kind": "Secret",
    "metadata": {
        "creationTimestamp": "2019-01-03T01:32:49Z",
        "name": "cloudsql-oauth-credentials",
        "namespace": "default",
        "resourceVersion": "12078",
        "selfLink": "/api/v1/namespaces/default/secrets/cloudsql-oauth-credentials",
        "uid": "7af2bdde-0ef7-11e9-92bd-123123123123"
    },
    "type": "Opaque"
}

该 base64 文本可以轻松解码和保存:

$ base64 -d < credentials.json.b64 | tee credentials.json
{                                                                                                                                                                                                                                                                                                                                                                                       
  "type": "service_account",
  "project_id": "xxx-xxx-xxx",
  "private_key_id": "abc123abc123abc123abc123abc123abc123",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvwIBADANBgkqhkiG9...==\n-----END PRIVATE KEY-----\n",
  "client_email": "xxx-service-account-sql-cli@xxx-xxx-xxx.iam.gserviceaccount.com",
  "client_id": "321321321321321321",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/xxx-xxx-account-sql-cli%40xxx-xxx-xxx.iam.gserviceaccount.com"
}
于 2019-01-03T17:14:11.857 回答