OpenShift - List Secrets using REST API

This assumes you have used the curl REST API to obtain an OAuth bearer token. Let's say the bearer token is sha256~0Rs__hPuXmBD3TJTXNDisC7wRBN-nrFnYTxgdBrFT-U.

There are different ways to configure a container with environment variables.

Here is how you would list the secrets in the "default" namespace using the curl REST API. The oc config view or oc get apiserver commands can be used to display the API Server URL (api.openshift.example.com in this example).

curl
--insecure
--request GET
--header "Accept: application/json"
--header "Authorization: Bearer sha256~0Rs__hPuXmBD3TJTXNDisC7wRBN-nrFnYTxgdBrFT-U"
--url "https://api.openshift.example.com:6443/api/v1/namespaces/default/secrets"

 

If the items array contains key value pairs, this means the namespace contains one or more secrets.

{
  "kind": "Secret",
  "apiVersion": "v1",
  "metadata": {
    "name": "mysecret",
    "namespace": "default",
    "selfLink": "/api/v1/namespaces/default/secrets/mysecret",
    "uid": "cf858bde-be0f-40ae-a882-2daa815335a4",
    "resourceVersion": "136899647",
    "creationTimestamp": "2021-11-18T11:51:46Z",
    "managedFields": [
      {
        "manager": "kubectl-create",
        "operation": "Update",
        "apiVersion": "v1",
        "time": "2021-11-18T11:51:46Z",
        "fieldsType": "FieldsV1",
        "fieldsV1": {"f:data":{".":{},"f:foo":{}},"f:type":{}}
      }
    ]
  },
  "data": {
    "foo": "YmFy"
  },
  "type": "Opaque"
}

 

Or to return a specific secret, such as "mysecret".

curl
--insecure
--request GET
--header "Accept: application/json"
--header "Authorization: Bearer sha256~0Rs__hPuXmBD3TJTXNDisC7wRBN-nrFnYTxgdBrFT-U"
--url "https://api.openshift.example.com:6443/api/v1/namespaces/default/secrets/mysecret"

 

If the secret does not exist, something like this will be returned.

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "secrets \"mysecret\" not found",
  "reason": "NotFound",
  "details": {
    "name": "mysecret",
    "kind": "secrets"
  },
  "code": 404
}

 

Assuming the secret exists, notice that the "foo" key contains "YmFy". The secret value is base64 encoded.

  "data": {
    "foo": "YmFy"
  }

 

On a Linux system, the base64 command can be used to decode the value.

~]# echo YmFy | base64 --decode
bar

 

You may also want to use the REST API to list the pods to determine the pods that are using a secret.

curl
--insecure
--request GET
--header "Accept: application/json"
--header "Authorization: Bearer sha256~0Rs__hPuXmBD3TJTXNDisC7wRBN-nrFnYTxgdBrFT-U"
--url "https://api.openshift.example.com:6443/api/v1/namespaces/foo/pods"

 

Pods that have a secret mounted as a volume will contain ouput like this.

{
  "kind": "Pod",
  "apiVersion": "v1",
  "spec": {
    "volumes": [
      {
        "name": "myvolume",
        "secret": {
          "secretName": "mysecret",
          "defaultMode": 420
        }
      }

 

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter 8c0a0 in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |