在创建新集群时,我意外地删除了临时集群/项目中cloudsqloauth凭据的机密。有没有办法从"gcloud"或cloudSQL控制台重新获取和安装这些?我可能有一份原件的副本,看起来像这样(删除了私人内容(:
{
"type": "service_account",
"project_id": "able-XXXXX-XXXXX",
"private_key_id": "8adcffXXXX",
"private_key": "-----BEGIN PRIVATE KEY-----nMIIEvwIXXXXXXXXXX==n-----END PRIVATE KEY-----n",
"client_email": "xxxx-service-account-sql-cli@able-xxxx.iam.gserviceaccount.com",
"client_id": "10905637232xxxxx",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/notify-service-account-sql-cli%40ablexxxxx.iam.gserviceaccount.com"
}
我希望我能用它:
kubectl create secret generic cloudsql-oauth-credentials --from-literal="credentials.json=`cat build/cloudsql-oauth-credentials.json`"
注意:这是在用于GKE部署的GCP上使用标准的sidecar代理配置。
跟进,在混乱之后,我发现我连接到了我的pod中的错误容器,这就是为什么我找不到cloudsql凭据的秘密。我能够通过这样的卷装载在我的吊舱中找到凭据:
kubectl exec engine-cron-prod-deployment-788ddb4b8-bxmz9 -c postgres-proxy -it -- /bin/sh
/ # ls /secrets/cloudsql/
credentials.json
/ # cat /secrets/cloudsql/credentials.json
{
"type": "service_account",
[..stuff deleted..]
这个结果与我保存的文件相匹配,所以我的keyfile.json(又名cloudsqloauth-credentials.json(是正确的。
需要明确的是,我的部署yaml中的sidecar模式看起来像这样:
spec:
volumes:
- name: ssl-certs
hostPath:
path: /etc/ssl/certs
- name: cloudsql-oauth-credentials
secret:
secretName: cloudsql-oauth-credentials
- name: cloudsql
emptyDir:
containers:
- name: postgres-proxy
image: gcr.io/cloudsql-docker/gce-proxy:1.09
imagePullPolicy: Always
command: ["/cloud_sql_proxy",
"--dir=/cloudsql",
"-instances=@@PROJECT@@:us-central1:@@DBINST@@=tcp:5432",
"-credential_file=/secrets/cloudsql/credentials.json"]
volumeMounts:
- name: cloudsql-oauth-credentials
mountPath: /secrets/cloudsql
readOnly: true
- name: ssl-certs
mountPath: /etc/ssl/certs
- name: cloudsql
mountPath: /cloudsql
结论:
- 无论如何,人们总是可以删除服务帐户并创建一个新帐户来获取凭据,然后将该帐户添加到正确的角色(对于cloudsql(并重新启动,尽管这会有点痛苦和耗时
- 可以将这些凭据与其他GKE集群重复使用,以连接到同一个cloudsqlDB,也可以创建具有相同角色但具有单独凭据集的新服务帐户
编辑:为了完整性,还可以检索和存储他们的秘密,以便作为备份进行安全保存。通过使用get -o json,您将把credentials.json恢复为base64编码的文本。
$kubectl get -o json secret cloudsql-oauth-credentials
{
"apiVersion": "v1",
"data": {
"credentials.json": "ewogICJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsCiAgInByb2plY3RfaWQiOiAiYW...."
},
"kind": "Secret",
"metadata": {
"creationTimestamp": "2019-01-03T01:32:49Z",
"name": "cloudsql-oauth-credentials",
"namespace": "default",
"resourceVersion": "12078",
"selfLink": "/api/v1/namespaces/default/secrets/cloudsql-oauth-credentials",
"uid": "7af2bdde-0ef7-11e9-92bd-123123123123"
},
"type": "Opaque"
}
base64文本可以很容易地解码和保存:
$ base64 -d < credentials.json.b64 | tee credentials.json
{
"type": "service_account",
"project_id": "xxx-xxx-xxx",
"private_key_id": "abc123abc123abc123abc123abc123abc123",
"private_key": "-----BEGIN PRIVATE KEY-----nMIIEvwIBADANBgkqhkiG9...==n-----END PRIVATE KEY-----n",
"client_email": "xxx-service-account-sql-cli@xxx-xxx-xxx.iam.gserviceaccount.com",
"client_id": "321321321321321321",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/xxx-xxx-account-sql-cli%40xxx-xxx-xxx.iam.gserviceaccount.com"
}