Bootstrap FreeKB - OpenShift - List Secrets using REST API
OpenShift - List Secrets using REST API
Updated:   |  OpenShift articles

This assumes you have used the REST API to obtain an OAuth bearer token. Let's say the bearer token is sha256~0Rs__hPuXmBD3TJTXNDisC7wRBN-nrFnYTxgdBrFT-U.

There are different ways to configure a container with environment variables.

Here is how you would list the secrets in the "default" namespace using the curl REST API. The oc config view or oc get apiserver commands can be used to display the API Server URL (api.openshift.example.com in this example).

curl
--insecure
--request GET
--header "Accept: application/json"
--header "Authorization: Bearer sha256~0Rs__hPuXmBD3TJTXNDisC7wRBN-nrFnYTxgdBrFT-U"
--url "https://api.openshift.example.com:6443/api/v1/namespaces/default/secrets"

 

If the items array contains key value pairs, this means the namespace contains one or more secrets.

{
  "kind": "Secret",
  "apiVersion": "v1",
  "metadata": {
    "name": "mysecret",
    "namespace": "default",
    "selfLink": "/api/v1/namespaces/default/secrets/mysecret",
    "uid": "cf858bde-be0f-40ae-a882-2daa815335a4",
    "resourceVersion": "136899647",
    "creationTimestamp": "2021-11-18T11:51:46Z",
    "managedFields": [
      {
        "manager": "kubectl-create",
        "operation": "Update",
        "apiVersion": "v1",
        "time": "2021-11-18T11:51:46Z",
        "fieldsType": "FieldsV1",
        "fieldsV1": {"f:data":{".":{},"f:foo":{}},"f:type":{}}
      }
    ]
  },
  "data": {
    "foo": "YmFy"
  },
  "type": "Opaque"
}

 

Or to return a specific secret, such as "mysecret".

curl
--insecure
--request GET
--header "Accept: application/json"
--header "Authorization: Bearer sha256~0Rs__hPuXmBD3TJTXNDisC7wRBN-nrFnYTxgdBrFT-U"
--url "https://api.openshift.example.com:6443/api/v1/namespaces/default/secrets/mysecret"

 

If the secret does not exist, something like this will be returned.

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "secrets \"mysecret\" not found",
  "reason": "NotFound",
  "details": {
    "name": "mysecret",
    "kind": "secrets"
  },
  "code": 404
}

 

Assuming the secret exists, notice that the "foo" key contains "YmFy". The secret value is base64 encoded.

  "data": {
    "foo": "YmFy"
  }

 

On a Linux system, the base64 command can be used to decode the value.

~]# echo YmFy | base64 --decode
bar

 

You may also want to use the REST API to list the pods to determine the pods that are using a secret.

curl
--insecure
--request GET
--header "Accept: application/json"
--header "Authorization: Bearer sha256~0Rs__hPuXmBD3TJTXNDisC7wRBN-nrFnYTxgdBrFT-U"
--url "https://api.openshift.example.com:6443/api/v1/namespaces/foo/pods"

 

Pods that have a secret mounted as a volume will contain ouput like this.

{
  "kind": "Pod",
  "apiVersion": "v1",
  "spec": {
    "volumes": [
      {
        "name": "myvolume",
        "secret": {
          "secretName": "mysecret",
          "defaultMode": 420
        }
      }

 

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 037717 in the box below so that we can be sure you are a human.