As per recent posts, I've been falling in love with jq and using it for more and more and more ....
Today, it's Kubernetes meets jq
Specifically, working with secrets ... and following on from an earlier post: -
Gah, again with the ImagePullBackOff
So I'm creating a dummy secret, wrapped around some credentials for an IBM Container Registry (ICR) instance: -
kubectl create secret docker-registry foobar --docker-server='https://us.icr.io' --docker-username='iamapikey' --docker-password='THIS_IS_NOT_A_VALID_APIKEY'
Now the secret of type docker-registry essentially wraps the credentials ( whether it be for Docker Hub or an ICR instance or similar ) up in a Base64-encoded "blob", as evidenced by the query: -
kubectl get secret foobar --output json
{
"apiVersion": "v1",
"data": {
".dockerconfigjson": "eyJhdXRocyI6eyJodHRwczovL3VzLmljci5pbyI6eyJ1c2VybmFtZSI6ImlhbWFwaWtleSIsInBhc3N3b3JkIjoiVEhJU19JU19OT1RfQV9WQUxJRF9BUElLRVkiLCJhdXRoIjoiYVdGdFlYQnBhMlY1T2xSSVNWTmZTVk5mVGs5VVgwRmZWa0ZNU1VSZlFWQkpTMFZaIn19fQ=="
},
"kind": "Secret",
"metadata": {
"creationTimestamp": "2021-03-16T16:57:52Z",
"managedFields": [
{
"apiVersion": "v1",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:data": {
".": {},
"f:.dockerconfigjson": {}
},
"f:type": {}
},
"manager": "kubectl-create",
"operation": "Update",
"time": "2021-03-16T16:57:52Z"
}
],
"name": "foobar",
"namespace": "default",
"resourceVersion": "19983",
"selfLink": "/api/v1/namespaces/default/secrets/foobar",
"uid": "26bdd49b-49c6-4133-a331-3e9cb6150a26"
},
"type": "kubernetes.io/dockerconfigjson"
}
so we can quickly inspect ( decode ) the secret, using jq to parse the output: -
kubectl get secret foobar --output json | jq -r .data[] | base64 -d
{"auths":{"https://us.icr.io":{"username":"iamapikey","password":"THIS_IS_NOT_A_VALID_APIKEY","auth":"aWFtYXBpa2V5OlRISVNfSVNfTk9UX0FfVkFMSURfQVBJS0VZ"}}}
This is a useful way to check input against output, and thus avoid GIGO.
The other jq related tip is in the context of Calico Node, where I was looking to inspect a daemonset to grab one specific data element - known as IP_AUTODETECTION_METHOD - in short, this can be used to ensure that the Calico Node pods use a specific network adapter inside each of the K8s nodes.
So I'd take a generic kubectl command such as: -
kubectl get daemonset/calico-node -n kube-system --output json
and then parse the output to only retrieve the value of IP_AUTODETECTION_METHOD : -
{
"name": "IP_AUTODETECTION_METHOD",
"value": "interface=eth.*"
}
I could, if I so chose, override that by editing the daemonset : -
kubectl set env daemonset/calico-node -n kube-system IP_AUTODETECTION_METHOD=interface=eth0
and then re-run the kubectl get command to check that the value had changed ....
Nice !