Writing Kubernetes tools in Go ,VCFSOFUFT.FFUVQ5PLZP %BJTVLF'VKJUB!EUBO

Daisuke Fujita @dtan4

$ k8sec CLI tool to manage Kubernetes Secrets easily

k8sec • Kubernetes Secret Λखܰʹ͍͡Δπʔϧ • Interface like Heroku CLI (heroku config) • Written in Go dtan4/k8sec $ k8sec \ [--kubeconfig KUBECONFIG] \ [--namespace NAMESPACE] \ ARGS

Why k8sec? • Secret ΛΞϓϦέʔγϣϯͷ؀ڥม਺ʹ࢖͍͍ͨ • kubectl Ͱ΍Δͱ໘౗ͩͬͨ • kubectl ͩͱҰൃͰ list, update Ͱ͖ͳ͍ • Ұ౓ YAML ʹు͍ͯ replace http://kubernetes.io/docs/user-guide/secrets/#using-secrets-as-environment-variables $ kubectl create secret generic my-secret \ --from-literal=key1=supersecret \ --from-literal=key2=topsecret $ kubectl get secret registrykey -o json \ | jq -r '.data[".dockercfg"]' | base64 -D

k8sec $ k8sec list rails NAME TYPE KEY VALUE rails Opaque database-url "postgres://example.com:5432/dbname" # Show values as base64-encoded string $ k8sec list --base64 rails NAME TYPE KEY VALUE rails Opaque database-url cG9zdGdyZXM6Ly9leGFtcGxlLmNvbTo1NDMyL2RibmFtZQ== Ұཡදࣔ list dtan4/k8sec

k8sec # Set secret $ k8sec set rails rails-env=production rails # Pass base64-encoded value $ echo dtan4 | base64 ZHRhbjQK $ k8sec set --base64 rails foo=ZHRhbjQK rails $ k8sec list rails NAME TYPE KEY VALUE rails Opaque database-url "postgres://example.com:5432/dbname" rails Opaque foo "dtan4\n" # Unset secret $ k8sec unset rails rails-env ઃఆɺղআ set,unset dtan4/k8sec

k8sec # Save as .env $ k8sec save -f .env rails $ cat .env database-url="postgres://example.com:5432/dbname" # Load .env $ k8sec load -f .env rails LFZWBMVFFOW load,save dtan4/k8sec

Why k8sec? • Secret ΛΞϓϦέʔγϣϯͷ؀ڥม਺ʹ࢖͍͍ͨ • kubectl Ͱ΍Δͱ໘౗ͩͬͨ • kubectl ͩͱҰൃͰ list, update Ͱ͖ͳ͍ • Ұ౓ YAML ʹు͍ͯ replace http://kubernetes.io/docs/user-guide/secrets/#using-secrets-as-environment-variables $ kubectl create secret generic my-secret \ --from-literal=key1=supersecret \ --from-literal=key2=topsecret $ kubectl get secret registrykey -o json \ | jq -r '.data[".dockercfg"]' | base64 -D

kubectl • ສೳʂ • API ΂ͬͨΓͳͷͰɺ࣮ӡ༻Ͱ͸࢖͍ʹ͍͘෦෼΋ • ඇӡ༻ଆ (e.g. Rails developer) ͕৮Δʹ͸
 ֶशίετ͕ߴ͍…ʁ => ࣗ෼ͨͪͷཁٻʹదͨ͠ wrapper Λ࡞Ζ͏

kubectl wrapper • ଞݴޠ͔Β kubectl ίϚϯυΛ௚઀ୟ͘ͷ͸
 εϚʔτ͡Όͳ͍ • kubectl ͬͯཁ͢Δʹ 
 Kubernetes API ΫϥΠΞϯτͰ͢ΑͶ • ௚઀ API Λୟ͘Α͏ʹ͢Ε͹͍͍ͷͰ͸…ʁ

Kubernetes API Client Library https://github.com/kubernetes/kubernetes/blob/master/docs/devel/client-libraries.md

k8s.io/kubernetes/pkg/client Official Kubernetes API client library

API ΫϥΠΞϯτ࡞੒ loadingRules := clientcmd.NewDefaultClientConfigLoadingRules() loadingRules.ExplicitPath = clientcmd.RecommendedHomeFile loader := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, &clientcmd.ConfigOverrides{}) clientConfig, err := loader.ClientConfig() if err != nil { return nil, err } kubeClient, err := client.New(clientConfig) if err != nil { return nil, err } import ( "k8s.io/kubernetes/pkg/api" client "k8s.io/kubernetes/pkg/client/unversioned" "k8s.io/kubernetes/pkg/client/unversioned/clientcmd" )

API ΫϥΠΞϯτ࡞੒ loadingRules.ExplicitPath = clientcmd.RecommendedHomeFile • loadingRules.ExplicitPath ʹ
 ίϯϑΟάϑΝΠϧͷύεΛࢦఆ • RecommendedHomeFile == ~/.kube/config https://github.com/kubernetes/kubernetes/blob/master/pkg/client/unversioned/clientcmd/loader.go

API ݺͼग़͠ pods, err := kubeClient.Pods(api.NamespaceDefault).List(api.ListOptions{}) • ·ͣ Pods, Secret ͷΑ͏ʹϦιʔεࢦఆ w Ҿ਺͸/BNFTQBDF • api.NamespaceDefault == "default" • api.NamespaceSystem == "system" w ϦιʔεʹνΣΠϯͯ͠ૢ࡞Λࢦఆ • Get(name), List kubeClient.. https://github.com/kubernetes/kubernetes/blob/4a78db61370df83a37957490749f7d171b00c28a/pkg/api/types.go#L154-L161

Pod ҰཡΛग़ྗ for _, pod := range pods.Items { fmt.Println(pod.Name) } hello-world-e2d3x wordpress-mysql-488205646-t6v4k

஫ҙ • k8s.io/kubernetes ͸ Kubernetes ຊମͷϦϙδτϦ ͳͷͰɺͰ͔ͯ͘ॏ͍ (400 Mbyte ~) • github.com/docker/docker ΋ґଘͯ͠Δ • Godeps Έ͍ͨʹ vendoring ΛϦϙδτϦʹؚΊΔ
 ৔߹͸ཁ஫ҙ • glide ࢖͓͏ • kubectl ͷιʔε (pkg/kubectl) Λಡ΋͏

·ͱΊ • Secret Λ؆୯ʹѻ͑Δ k8sec ͱ͍͏πʔϧΛ
 ࡞Γ·ͨ͠ • Go ͷ API client library Λ࢖ͬͯɺKubernetes Λ
 ௚઀ૢ࡞͢Δํ๏Λ঺հ͠·ͨ͠ • ܅͚ͩͷ Kubernetes tool Λ࡞Ζ͏