kubernetes cronjob和更新秘密 [英] kubernetes cronjob and updating a secret

问题描述

下面是我的python脚本，用于更新秘密，因此我可以使用kubectl部署到kubernetes.因此，它工作正常.但是我想创建一个kubernetes cron作业，该作业将运行docker容器以从kubernetes集群中更新机密.我怎么做? aws秘密仅持续12个小时，我必须从群集中重新生成它，以便在吊舱崩溃等情况下可以拉动我.

Below is my python script to update a secret so I can deploy to kubernetes using kubectl. So it works fine. But I want to create a kubernetes cron job that will run a docker container to update a secret from within a kubernetes cluster. How do I do that? The aws secret lasts only 12 hours to I have to regenerate from within the cluster so I can pull if pod crash etc...

在kubernetes中可以访问内部API吗?

This there an internal api I have access to within kubernetes?

cmd = """aws ecr get-login --no-include-email --region us-east-1 > aws_token.txt"""
run_bash(cmd)


f = open('aws_token.txt').readlines()
TOKEN = f[0].split(' ')[5]


SECRET_NAME = "%s-ecr-registry" % (self.region)


cmd = """kubectl delete secret --ignore-not-found %s -n %s""" % (SECRET_NAME,namespace)
print (cmd)
run_bash(cmd)

cmd = """kubectl create secret docker-registry %s --docker-server=https://%s.dkr.ecr.%s.amazonaws.com --docker-username=AWS --docker-password="%s" --docker-email="david.montgomery@gmail.com" -n %s """ % (SECRET_NAME,self.aws_account_id,self.region,TOKEN,namespace)
print (cmd)
run_bash(cmd)

cmd = "kubectl describe secrets/%s-ecr-registry -n %s" % (self.region,namespace)
print (cmd)
run_bash(cmd)

cmd = "kubectl get secret %s-ecr-registry -o yaml -n %s" % (self.region,namespace)
print (cmd)

推荐答案

碰巧的是，我确实做到了.

As it happens I literally just got done doing this.

下面是设置cronjob来滚动您的AWS docker登录令牌，然后每6小时重新登录一次ECR所需的一切.只需将{{变量}}替换为您自己的实际值即可.

Below is everything you need to set up a cronjob to roll your AWS docker login token, and then re-login to ECR, every 6 hours. Just replace the {{ variables }} with your own actual values.

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: {{ namespace }}
  name: ecr-cred-helper
rules:
- apiGroups: [""]
  resources:
  - secrets
  - serviceaccounts
  - serviceaccounts/token
  verbs:
  - 'delete'
  - 'create'
  - 'patch'
  - 'get'

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: ecr-cred-helper
  namespace: {{ namespace }}
subjects:
- kind: ServiceAccount
  name: sa-ecr-cred-helper
  namespace: {{ namespace }}
roleRef:
  kind: Role
  name: ecr-cred-helper
  apiGroup: ""

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: sa-ecr-cred-helper
  namespace: {{ namespace }}

---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  annotations:
  name: ecr-cred-helper
  namespace: {{ namespace }}
spec:
  concurrencyPolicy: Allow
  failedJobsHistoryLimit: 1
  jobTemplate:
    metadata:
      creationTimestamp: null
    spec:
      template:
        metadata:
          creationTimestamp: null
        spec:
          serviceAccountName: sa-ecr-cred-helper
          containers:
          - command:
            - /bin/sh
            - -c
            - |-
              TOKEN=`aws ecr get-login --region ${REGION} --registry-ids ${ACCOUNT} | cut -d' ' -f6`
              echo "ENV variables setup done."
              kubectl delete secret -n {{ namespace }} --ignore-not-found $SECRET_NAME
              kubectl create secret -n {{ namespace }} docker-registry $SECRET_NAME \
              --docker-server=https://{{ ECR_REPOSITORY_URL }} \
              --docker-username=AWS \
              --docker-password="${TOKEN}" \
              --docker-email="${EMAIL}"
              echo "Secret created by name. $SECRET_NAME"
              kubectl patch serviceaccount default -p '{"imagePullSecrets":[{"name":"'$SECRET_NAME'"}]}' -n {{ namespace }}
              echo "All done."
            env:
            - name: AWS_DEFAULT_REGION
              value: eu-west-1
            - name: AWS_SECRET_ACCESS_KEY
              value: '{{ AWS_SECRET_ACCESS_KEY }}'
            - name: AWS_ACCESS_KEY_ID
              value: '{{ AWS_ACCESS_KEY_ID }}'
            - name: ACCOUNT
              value: '{{ AWS_ACCOUNT_ID }}'
            - name: SECRET_NAME
              value: '{{ imagePullSecret }}'
            - name: REGION
              value: 'eu-west-1'
            - name: EMAIL
              value: '{{ ANY_EMAIL }}'
            image: odaniait/aws-kubectl:latest
            imagePullPolicy: IfNotPresent
            name: ecr-cred-helper
            resources: {}
            securityContext:
              capabilities: {}
            terminationMessagePath: /dev/termination-log
            terminationMessagePolicy: File
          dnsPolicy: Default
          hostNetwork: true
          restartPolicy: Never
          schedulerName: default-scheduler
          securityContext: {}
          terminationGracePeriodSeconds: 30
  schedule: 0 */6 * * *
  successfulJobsHistoryLimit: 3
  suspend: false

这篇关于kubernetes cronjob和更新秘密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！