在GCP CloudSQL中,删除机密后如何重置GKE的凭据



在创建新集群时,我意外地删除了临时集群/项目中cloudsqloauth凭据的机密。有没有办法从"gcloud"或cloudSQL控制台重新获取和安装这些?我可能有一份原件的副本,看起来像这样(删除了私人内容(:

{                                                                                                                                                                                                                                                                                                                                                                                          
"type": "service_account",
"project_id": "able-XXXXX-XXXXX",
"private_key_id": "8adcffXXXX",
"private_key": "-----BEGIN PRIVATE KEY-----nMIIEvwIXXXXXXXXXX==n-----END PRIVATE KEY-----n",
"client_email": "xxxx-service-account-sql-cli@able-xxxx.iam.gserviceaccount.com",
"client_id": "10905637232xxxxx",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/notify-service-account-sql-cli%40ablexxxxx.iam.gserviceaccount.com"
}

我希望我能用它:

kubectl create  secret generic cloudsql-oauth-credentials --from-literal="credentials.json=`cat build/cloudsql-oauth-credentials.json`"

注意:这是在用于GKE部署的GCP上使用标准的sidecar代理配置。

跟进,在混乱之后,我发现我连接到了我的pod中的错误容器,这就是为什么我找不到cloudsql凭据的秘密。我能够通过这样的卷装载在我的吊舱中找到凭据:

kubectl exec engine-cron-prod-deployment-788ddb4b8-bxmz9 -c postgres-proxy -it -- /bin/sh
/ # ls /secrets/cloudsql/                                                                                                                                                                                                                                                                  
credentials.json                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          
/ # cat /secrets/cloudsql/credentials.json                                                                                                                                                                                                                                                 
{                                                                                                                                                                                                                                                                                          
"type": "service_account",
[..stuff deleted..]

这个结果与我保存的文件相匹配,所以我的keyfile.json(又名cloudsqloauth-credentials.json(是正确的。

需要明确的是,我的部署yaml中的sidecar模式看起来像这样:

spec:
volumes:
- name: ssl-certs
hostPath:
path: /etc/ssl/certs
- name: cloudsql-oauth-credentials
secret:
secretName: cloudsql-oauth-credentials
- name: cloudsql
emptyDir:
containers:
- name: postgres-proxy
image: gcr.io/cloudsql-docker/gce-proxy:1.09
imagePullPolicy: Always
command: ["/cloud_sql_proxy",
"--dir=/cloudsql",
"-instances=@@PROJECT@@:us-central1:@@DBINST@@=tcp:5432",
"-credential_file=/secrets/cloudsql/credentials.json"]
volumeMounts:
- name: cloudsql-oauth-credentials
mountPath: /secrets/cloudsql
readOnly: true
- name: ssl-certs
mountPath: /etc/ssl/certs
- name: cloudsql
mountPath: /cloudsql

结论:

  • 无论如何,人们总是可以删除服务帐户并创建一个新帐户来获取凭据,然后将该帐户添加到正确的角色(对于cloudsql(并重新启动,尽管这会有点痛苦和耗时
  • 可以将这些凭据与其他GKE集群重复使用,以连接到同一个cloudsqlDB,也可以创建具有相同角色但具有单独凭据集的新服务帐户

编辑:为了完整性,还可以检索和存储他们的秘密,以便作为备份进行安全保存。通过使用get -o json,您将把credentials.json恢复为base64编码的文本。

$kubectl get -o json secret cloudsql-oauth-credentials                                                                                                                                                                                                                                                                                               
{                                                                                                                                                                                                                                                                                                                                                                                       
"apiVersion": "v1",
"data": {
"credentials.json": "ewogICJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsCiAgInByb2plY3RfaWQiOiAiYW...."
},
"kind": "Secret",
"metadata": {
"creationTimestamp": "2019-01-03T01:32:49Z",
"name": "cloudsql-oauth-credentials",
"namespace": "default",
"resourceVersion": "12078",
"selfLink": "/api/v1/namespaces/default/secrets/cloudsql-oauth-credentials",
"uid": "7af2bdde-0ef7-11e9-92bd-123123123123"
},
"type": "Opaque"
}

base64文本可以很容易地解码和保存:

$ base64 -d < credentials.json.b64 | tee credentials.json
{                                                                                                                                                                                                                                                                                                                                                                                       
"type": "service_account",
"project_id": "xxx-xxx-xxx",
"private_key_id": "abc123abc123abc123abc123abc123abc123",
"private_key": "-----BEGIN PRIVATE KEY-----nMIIEvwIBADANBgkqhkiG9...==n-----END PRIVATE KEY-----n",
"client_email": "xxx-service-account-sql-cli@xxx-xxx-xxx.iam.gserviceaccount.com",
"client_id": "321321321321321321",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/xxx-xxx-account-sql-cli%40xxx-xxx-xxx.iam.gserviceaccount.com"
}

相关内容

  • 没有找到相关文章

最新更新