15

I want to do the opposite of this question:

How to create secrets using Kubernetes Python client?

i.e.:

How do I read an existing secret from a kubernetes cluster via the kubernetes-python API?

The use case is: I want to authenticate to mongodb (running in my cluster) from a jupyter notebook (also running in my cluster) without, for obvious reasons, saving the mongodb auth password inside the jupyter notebook.

Thanks!

jtlz2
  • 7,700
  • 9
  • 64
  • 114
  • 1
    how about injecting the secrets as env variables to the pod? https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-pod-that-has-access-to-the-secret-data-through-environment-variables – Amityo Mar 14 '19 at 12:10

2 Answers2

23
  1. Install Kubernetes client for python
  2. Now you can pull the secret. For example secret name - mysql-pass, namespace - default
from kubernetes import client, config
config.load_kube_config()
v1 = client.CoreV1Api()
secret = v1.read_namespaced_secret("mysql-pass", "default")
print(secret)
  1. If you need to extract decoded password from the secret
from kubernetes import client, config
import base64
import sys    
config.load_kube_config()
v1 = client.CoreV1Api()
sec = str(v1.read_namespaced_secret("mysql-pass", "default").data)
pas = base64.b64decode(sec.strip().split()[1].translate(None, '}\''))
print(pas)

Hope this will help.

A_Suh
  • 3,727
  • 6
  • 22
8

If you use kubernetes client api it will give you response as a dict datatype and you might not need to do spiting etc, You can say something like this,

from kubernetes import client, config
import base64
config.load_kube_config()
v1 = client.CoreV1Api()
sec = v1.read_namespaced_secret("default-token-rsbq7", "default").data
cert = base64.b64decode(sec["ca.crt"])
print(cert)
Shantanu
  • 2,206
  • 18
  • 16