Question 11: Secrets in ETCD

Problem Statement

Solve this question on: ssh cks7262

There is an existing Secret called database-access in Namespace team-green.

Tasks:

  1. Read the complete Secret content directly from ETCD (using etcdctl) and store it into /opt/course/11/etcd-secret-content on cks7262
  2. Write the plain and decoded Secret's value of key "pass" into /opt/course/11/database-password on cks7262
Use sudo -i to become root which may be required for this question

Solution

Step 1: Access ETCD

First, let's connect to the control plane node and check etcdctl: 

➜ ssh cks7262

➜ candidate@cks7262:~# sudo -i

➜ root@cks7262:~# etcdctl
NAME:
   etcdctl - A simple command line client for etcd.

WARNING:
   Environment variable ETCDCTL_API is not set; defaults to etcdctl v2.
   Set environment variable ETCDCTL_API=3 to use v3 API or ETCDCTL_API=2 to use v2 API.

USAGE:
   etcdctl [global options] command [command options] [arguments...]
...
   --cert-file value   identify HTTPS client using this SSL certificate file
   --key-file value    identify HTTPS client using this SSL key file
   --ca-file value     verify certificates of HTTPS-enabled servers using this CA bundle
...

Let's find the necessary certificate files by checking the kube-apiserver configuration: 

➜ root@cks7262:~# cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep etcd
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    - --etcd-servers=https://127.0.0.1:2379
Step 2: Read Secret from ETCD

Now we can query ETCD for the secret value:

➜ root@cks7262:~# ETCDCTL_API=3 etcdctl \
--cert /etc/kubernetes/pki/apiserver-etcd-client.crt \
--key /etc/kubernetes/pki/apiserver-etcd-client.key \
--cacert /etc/kubernetes/pki/etcd/ca.crt get /registry/secrets/team-green/database-access

The output should be saved to the required location:

# cks7262:/opt/course/11/etcd-secret-content

/registry/secrets/team-green/database-access
k8s


v1Secret

database-access
team-green"*$a01ef408-0a40-4fee-bd26-7adf346b3d222bB
0kubectl.kubernetes.io/last-applied-configuration{"apiVersion":"v1","data":{"pass":"Y29uZmlkZW50aWFs"},"kind":"Secret","metadata":{"annotations":{},"name":"database-access","namespace":"team-green"}}

kubectl-client-side-applyUpdatevFieldsV1:
{"f:data":{".":{},"f:pass":{}},"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}}},"f:type":{}}B
pass
    confidentialOpaque"
Step 3: Decode Secret Value

From the ETCD output, we can see the base64-encoded value for the "pass" key. Let's decode it: 

➜ root@cks7262:~# echo Y29uZmlkZW50aWFs | base64 -d > /opt/course/11/database-password

➜ root@cks7262:~# cat /opt/course/11/database-password
confidential
The secret has been successfully retrieved and decoded:
  • The complete secret content has been read from ETCD and saved
  • The "pass" key value has been decoded from base64 and saved
  • The decoded value is "confidential"
Back to Questions List