Last active
April 30, 2024 13:53
-
-
Save tkellen/220107b1242c27d35b413181a0ca8e12 to your computer and use it in GitHub Desktop.
fetch secret test oci
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "context" | |
| "encoding/base64" | |
| "log" | |
| "os" | |
| "time" | |
| "github.com/oracle/oci-go-sdk/v65/common" | |
| "github.com/oracle/oci-go-sdk/v65/common/auth" | |
| "github.com/oracle/oci-go-sdk/v65/secrets" | |
| ) | |
| func main() { | |
| vaultId := os.Getenv("OCI_VAULT_ID") | |
| if vaultId == "" { | |
| log.Fatal("env OCI_VAULT_ID must be specified.") | |
| } | |
| secretName := os.Getenv("OCI_SECRET_NAME") | |
| if secretName == "" { | |
| log.Fatal("env OCI_SECRET_NAME must be specified.") | |
| } | |
| log.Printf("Starting secret test...") | |
| rp, err := auth.OkeWorkloadIdentityConfigurationProvider() | |
| if err != nil { | |
| log.Fatalf("Unable to load workload identity config provider: %v", err) | |
| } | |
| client, err := secrets.NewSecretsClientWithConfigurationProvider(rp) | |
| if err != nil { | |
| log.Fatalf("Unable to auth to OCI: %v", err) | |
| } | |
| log.Printf("Fetching secret %s from vault %s", secretName, vaultId) | |
| resp, err := client.GetSecretBundleByName(context.Background(), secrets.GetSecretBundleByNameRequest{ | |
| SecretName: common.String(secretName), | |
| VaultId: common.String(vaultId), | |
| }) | |
| log.Printf("Response received.") | |
| if err != nil { | |
| log.Fatalf("Failed to get secret: %v", err) | |
| } | |
| secret, ok := resp.SecretBundleContent.(secrets.Base64SecretBundleContentDetails) | |
| if !ok { | |
| log.Fatalf("Failed to unpack secret: %v", err) | |
| } | |
| value, err := base64.StdEncoding.DecodeString(*secret.Content) | |
| if err != nil { | |
| log.Fatal("failed to decode secret: %w", err) | |
| } | |
| log.Printf("Got secret %s, the value was: %s", secretName, value) | |
| go forever() | |
| select {} | |
| } | |
| func forever() { | |
| for { | |
| log.Printf("%v+\n", time.Now()) | |
| time.Sleep(time.Second) | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Namespace | |
| metadata: | |
| name: secret-test | |
| --- | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: secret-test | |
| namespace: secret-test | |
| --- | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: fetch | |
| namespace: secret-test | |
| spec: | |
| selector: | |
| matchLabels: | |
| app: fetch | |
| replicas: 1 | |
| template: | |
| metadata: | |
| labels: | |
| app: fetch | |
| spec: | |
| serviceAccountName: secret-test | |
| automountServiceAccountToken: true | |
| containers: | |
| - name: fetch | |
| image: tkellen/test:latest | |
| imagePullPolicy: Always | |
| env: | |
| - name: OCI_VAULT_ID | |
| value: ocid1.vault.oc1.iad.ejtdbtklaaeac.abuwcljrrnjnyaah7q3yggwlqbecagaqz4dx4x6bhvp5hoxutgwsxp6twkha | |
| - name: OCI_SECRET_NAME | |
| value: test-secret | |
| - name: OCI_RESOURCE_PRINCIPAL_VERSION | |
| value: "2.2" | |
| - name: OCI_RESOURCE_PRINCIPAL_REGION | |
| value: us-ashburn-1 | |
| - name: OCI_GO_SDK_DEBUG | |
| value: verbose | |
| nodeSelector: | |
| node.kubernetes.io/app: "true" | |
| tolerations: | |
| - key: node.kubernetes.io/app | |
| operator: Equal | |
| value: "true" | |
| effect: NoSchedule | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ❯ k logs -n secret-test fetch-7cdf46d6c5-pgqsq | |
| INFO 2024/04/30 13:44:08.673560 log.go:106: logger level set to: 3 | |
| INFO 2024/04/30 13:44:08.673652 eventual_consistency.go:76: (pid=1, gid=1) OCI_GO_SDK_EC_CONFIG: Unknown ec mode '', assuming 'inprocess' | |
| INFO 2024/04/30 13:44:08.673671 log.go:106: logger level set to: 3 | |
| 2024/04/30 13:44:08 Starting secret test... | |
| DEBUG 2024/04/30 13:44:08.673852 common.go:562: No Developer Tool Config File provided. | |
| DEBUG 2024/04/30 13:44:08.673867 federation_client_oke_workload_identity.go:54: Refreshing session key | |
| INFO 2024/04/30 13:44:08.736887 federation_client_oke_workload_identity.go:182: Renewing security token at: 13:44:08.736 | |
| INFO 2024/04/30 13:44:08.736939 federation_client_oke_workload_identity.go:59: Public Key for OKE Workload Identity is:%!(EXTRA string=-----BEGIN PUBLIC KEY----- | |
| MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt9Y6nmt+nNHJxR+tyNQW | |
| V+IFBHfc7be1qIYk29k9w1VhVuPobG2nCwkaZAvRCdhCNutLa/aQ3DK0d4hDNDq5 | |
| UZvqL8FS9HVJ1soDHOgnqaj54OcFkmMcq7MgsomclIuPlj0Snqi2j7rTTXlwHopT | |
| T+deQApr1ZDSRbt3sRZ5A7g9EsvNMW8wBowmsF77vtAuZUFlurc8349lgV0SSGtS | |
| 7puv7MmPStAkPHffrNcdIvvRrvsIrCLbDTm/tMMf6oX3b/bEyZNXOCjzY0no3y7D | |
| Cg4pa3WAczNG/Q8PUcXE6AcKmUQ6XYt0HV/DcSvd933KU3som6qSeMEWbWVNnyAn | |
| vQIDAQAB | |
| -----END PUBLIC KEY----- | |
| ) | |
| INFO 2024/04/30 13:44:08.736994 federation_client_oke_workload_identity.go:59: Payload for OKE Workload Identity is:%!(EXTRA string={"podKey":"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt9Y6nmt+nNHJxR+tyNQW\nV+IFBHfc7be1qIYk29k9w1VhVuPobG2nCwkaZAvRCdhCNutLa/aQ3DK0d4hDNDq5\nUZvqL8FS9HVJ1soDHOgnqaj54OcFkmMcq7MgsomclIuPlj0Snqi2j7rTTXlwHopT\nT+deQApr1ZDSRbt3sRZ5A7g9EsvNMW8wBowmsF77vtAuZUFlurc8349lgV0SSGtS\n7puv7MmPStAkPHffrNcdIvvRrvsIrCLbDTm/tMMf6oX3b/bEyZNXOCjzY0no3y7D\nCg4pa3WAczNG/Q8PUcXE6AcKmUQ6XYt0HV/DcSvd933KU3som6qSeMEWbWVNnyAn\nvQIDAQAB\n-----END PUBLIC KEY-----\n"}) | |
| INFO 2024/04/30 13:44:08.737085 federation_client_oke_workload_identity.go:59: Service Account Token for OKE Workload Identity is: %!(EXTRA string=eyJhbGciOiJSUzI1NiIsImtpZCI6Ik5Nb1lFQmd5bm1URnBXQm1oQnZ0LWQ5MEloVFY5LXY2UVlDUlhlNHV6WkUifQ.eyJhdWQiOlsiYXBpIl0sImV4cCI6MTc0NjAyMDY0NywiaWF0IjoxNzE0NDg0NjQ3LCJpc3MiOiJodHRwczovL2t1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbCIsImt1YmVybmV0ZXMuaW8iOnsibmFtZXNwYWNlIjoic2VjcmV0LXRlc3QiLCJwb2QiOnsibmFtZSI6ImZldGNoLTdjZGY0NmQ2YzUtcGdxc3EiLCJ1aWQiOiIyOGU1OGI3My0xNzg4LTRjOGEtOTVhNy1iZjA4OGRlYzk5ZDUifSwic2VydmljZWFjY291bnQiOnsibmFtZSI6InNlY3JldC10ZXN0IiwidWlkIjoiOThjMjUxNWYtMDg3ZS00MjdjLWFkNTItNGEwNDcyMzEyMjIyIn0sIndhcm5hZnRlciI6MTcxNDQ4ODI1NH0sIm5iZiI6MTcxNDQ4NDY0Nywic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OnNlY3JldC10ZXN0OnNlY3JldC10ZXN0In0.rDZS3RLDYVU9gr5PsKKouc2-XPYlz_bfkbJyNtTw4zVLtQpPcILhF_2Eq4bPrAXTo56h_OtMG4xeeCNS6BEher4op7ftpmbzx61kDWr7qT4TM4fSSlENibEXOSkRBxedOOxHibsvLM3lRcuSNxtWiRNQ7ewgAKP0V3appzV7_13nEgpUJFYLjz95iaZPzBSvvz8D1V8kh3vCuw77jKQP0exz2I4pCBPjkXO8AEgyscrK8AS8fR0TdKkyhBHlY7W7DxC1Uv4NVc5J2J7JrQvd5NK-1blazwcl7EIYn8T8tF8Z-TXolV1gl9fmCQYKrB975vmqRXPzKbB-bXze5yGnkQ) | |
| INFO 2024/04/30 13:44:08.789749 federation_client_oke_workload_identity.go:182: Security token renewed at: 13:44:08.789 | |
| DEBUG 2024/04/30 13:44:08.789826 client.go:237: Setting the default refresh interval 30 for custom certs | |
| 2024/04/30 13:44:08 Fetching secret test-secret from vault ocid1.vault.oc1.iad.ejtdbtklaaeac.abuwcljrrnjnyaah7q3yggwlqbecagaqz4dx4x6bhvp5hoxutgwsxp6twkha | |
| DEBUG 2024/04/30 13:44:08.789913 eventual_consistency.go:332: (pid=1, gid=8) EcContext.GetEndOfWindow returns <nil> | |
| DEBUG 2024/04/30 13:44:08.789929 retry.go:455: Use default timing and strategy, no EC window set | |
| DEBUG 2024/04/30 13:44:08.789947 asm_amd64.s:1695: Retry policy to use: {MaximumNumberAttempts=8, MinSleepBetween=0, MaxSleepBetween=30, ExponentialBackoffBase=2, NonEventuallyConsistentPolicy=<nil>} | |
| DEBUG 2024/04/30 13:44:08.789954 asm_amd64.s:1695: operation attempt #1 | |
| DEBUG 2024/04/30 13:44:08.789967 http.go:725: Marshaling to Request: GetSecretBundleByNameRequest | |
| DEBUG 2024/04/30 13:44:08.789979 http.go:645: Marshaling to query from field: SecretName | |
| DEBUG 2024/04/30 13:44:08.790012 http.go:645: Marshaling to query from field: VaultId | |
| DEBUG 2024/04/30 13:44:08.790022 http.go:639: Marshaling to header from field: OpcRequestId | |
| DEBUG 2024/04/30 13:44:08.790033 http.go:520: add request id for header: opc-request-id, with value: 64bed2bc8f0edc662a3dc2bc6d93e312 | |
| DEBUG 2024/04/30 13:44:08.790043 http.go:645: Marshaling to query from field: VersionNumber | |
| DEBUG 2024/04/30 13:44:08.790051 http.go:645: Query parameter value is not mandatory and is nil pointer in field: VersionNumber. Skipping query | |
| DEBUG 2024/04/30 13:44:08.790058 http.go:645: Marshaling to query from field: SecretVersionName | |
| DEBUG 2024/04/30 13:44:08.790064 http.go:645: Query parameter value is not mandatory and is nil pointer in field: SecretVersionName. Skipping query | |
| DEBUG 2024/04/30 13:44:08.790071 http.go:645: Marshaling to query from field: Stage | |
| DEBUG 2024/04/30 13:44:08.790077 http.go:645: Omitting Stage, is empty and omitEmpty tag is set | |
| DEBUG 2024/04/30 13:44:08.790087 http.go:698: RequestMetadata does not contain contributes tag. Skipping. | |
| DEBUG 2024/04/30 13:44:08.790094 client.go:624: Attempting to call downstream service | |
| DEBUG 2024/04/30 13:44:08.792328 client.go:696: Dump Request POST /20190301/secretbundles/actions/getByName?secretName=test-secret&vaultId=ocid1.vault.oc1.iad.ejtdbtklaaeac.abuwcljrrnjnyaah7q3yggwlqbecagaqz4dx4x6bhvp5hoxutgwsxp6twkha HTTP/1.1 | |
| Host: secrets.vaults.us-ashburn-1.oci.oraclecloud.com | |
| User-Agent: Oracle-GoSDK/65.64.0 (linux/amd64; go/go1.22.1) | |
| Content-Length: 0 | |
| Accept: */* | |
| Authorization: Signature version="1",headers="date (request-target) host content-length content-type x-content-sha256",keyId="ST$eyJraWQiOiJhc3dfb2MxX2o0eGQiLCJhbGciOiJSUzI1NiJ9.eyJzdmNUZW5hbnRJZCI6Im9jaWQxLnRlbmFuY3kub2MxLi5hYWFhYWFhYTV2cnR1NGJqY3FwanZid29yaXdmZmdjY3JncmJrdW02NG10bjMzeXJjY2pycXB6dXlhcmEiLCJzdWIiOiJvY2lkMS53b3JrbG9hZC5vYzEuaWFkLmNzZHZza3R2emhhLm1kYXdtZGs0eXppMW10dm1tZGczenRxeW4ybmh6ZHV5bmdld25kY3ltemV5bWppeSIsInN2YyI6Im9rZSIsImlzcyI6ImF1dGhTZXJ2aWNlLm9yYWNsZS5jb20iLCJyZXNfdGVuYW50Ijoib2NpZDEudGVuYW5jeS5vYzEuLmFhYWFhYWFhNGpmb3dqdWZub3p0Z3YzM3pienRkcXoyZXI1ZjZhb2FxZzN1a3ZkN3dvbGFzN3I1N3phcSIsInB0eXBlIjoicmVzb3VyY2UiLCJyZXNfdHlwZSI6Indvcmtsb2FkIiwiYXVkIjoib2NpIiwidmFyX3NlcnZpY2VfYWNjb3VudCI6InNlY3JldC10ZXN0IiwidmFyX25hbWVzcGFjZSI6InNlY3JldC10ZXN0IiwidmFyX2NsdXN0ZXJfaWQiOiJvY2lkMS5jbHVzdGVyLm9jMS5pYWQuYWFhYWFhYWF6M2Jpc3gyZHZramM0NG9nM2ZzYmp0d3VzZWlkZ2UyNmV6czNwaWFvMmNzZHZza3R2emhhIiwidmFyX2NsdXN0ZXJfY29tcGFydG1lbnRfaWQiOiJvY2lkMS5jb21wYXJ0bWVudC5vYzEuLmFhYWFhYWFham1sbnpmam5ldXc2ZmF4NXNqM21ld3ZteGd5djNpbmxzYjRzMmFmd3NqNGwyaTNqcWNiYSIsInJlc19pZCI6Im9jaWQxLndvcmtsb2FkLm9jMS5pYWQuY3NkdnNrdHZ6aGEubWRhd21kazR5emkxbXR2bW1kZzN6dHF5bjJuaHpkdXluZ2V3bmRjeW16ZXltaml5IiwidHR5cGUiOiJyZXNfc3AiLCJyZXNfY29tcGFydG1lbnQiOiJvY2lkMS5jb21wYXJ0bWVudC5vYzEuLmFhYWFhYWFham1sbnpmam5ldXc2ZmF4NXNqM21ld3ZteGd5djNpbmxzYjRzMmFmd3NqNGwyaTNqcWNiYSIsImV4cCI6MTcxNDUyNzg0OCwiaWF0IjoxNzE0NDg0NjQ4LCJqdGkiOiJiMGQwNTBjMS1lZjhkLTQ4NDktOWI5My02MDFmODdlNWJhZjQiLCJ0ZW5hbnQiOiJvY2lkMS50ZW5hbmN5Lm9jMS4uYWFhYWFhYWE0amZvd2p1Zm5venRndjMzemJ6dGRxejJlcjVmNmFvYXFnM3VrdmQ3d29sYXM3cjU3emFxIiwib3BjLWRncyI6IlYzLG9jaWQxLnRlbmFuY3kub2MxLi5hYWFhYWFhYTRqZm93anVmbm96dGd2MzN6Ynp0ZHF6MmVyNWY2YW9hcWczdWt2ZDd3b2xhczdyNTd6YXEsQUFBQUFRQUFBQUJcL2YzOVwvQUFBQWp3PT0sQUFBQUFBPT0iLCJqd2siOiJ7XCJraWRcIjpcIm9jaWQxLndvcmtsb2FkLm9jMS5pYWQuY3NkdnNrdHZ6aGEubWRhd21kazR5emkxbXR2bW1kZzN6dHF5bjJuaHpkdXluZ2V3bmRjeW16ZXltaml5XCIsXCJuXCI6XCJ0OVk2bm10LW5OSEp4Ui10eU5RV1YtSUZCSGZjN2JlMXFJWWsyOWs5dzFWaFZ1UG9iRzJuQ3drYVpBdlJDZGhDTnV0TGFfYVEzREswZDRoRE5EcTVVWnZxTDhGUzlIVkoxc29ESE9nbnFhajU0T2NGa21NY3E3TWdzb21jbEl1UGxqMFNucWkyajdyVFRYbHdIb3BUVC1kZVFBcHIxWkRTUmJ0M3NSWjVBN2c5RXN2Tk1XOHdCb3dtc0Y3N3Z0QXVaVUZsdXJjODM0OWxnVjBTU0d0UzdwdXY3TW1QU3RBa1BIZmZyTmNkSXZ2UnJ2c0lyQ0xiRFRtX3RNTWY2b1gzYl9iRXlaTlhPQ2p6WTBubzN5N0RDZzRwYTNXQWN6TkdfUThQVWNYRTZBY0ttVVE2WFl0MEhWX0RjU3ZkOTMzS1Uzc29tNnFTZU1FV2JXVk5ueUFudlFcIixcImVcIjpcIkFRQUJcIixcImt0eVwiOlwiUlNBXCIsXCJhbGdcIjpcIlJTMjU2XCIsXCJ1c2VcIjpcInNpZ1wifSJ9.ZJl32XYfx3y3fZjh4MRu0aFgSerDBi6rfkR5Ac0i2_moeNXg1nvk-DjsiaON2xrU_Hl2mWojKkmpyHpDRf92vzpmASYua3cbwMppcWQlALLYaNXwSUBv9c47OHhtiP-8sAxC01CoXs6Fan37-225SKdDNyf1gHlumzuEVnukO0_JoA0Ix0v_eEgoBWr0U-dclXLp8oG6qiqNKFiql5JUc-NioRnuNM25osK1LLvpkut_HHFtl2wiNK0wX41iyhlGYw3nLAW4WZ9Lq6dR1arL3chaxZ7Re9uxoBlx-ALS7N0SDIRkln8zVdLDFUeGqaA8TbI7CQxUaWy1wZ7FpIp3Sw",algorithm="rsa-sha256",signature="BUHoPMFG3VOX2tKN1e+x5TFSgYbkjidmUhOJIYlg65+6XOZgcPk3+8p6nl4GZRsrBBWV11x1HAJ7+uTqEu1nkSR8npuEMuTSa1n/NZKzVbMl2JEpQjSuNPvcVtEIbKlOpwusuf5OVPNijHBmSgNqhExQSgMpQ0gDay3zSeZ7cDbN53Ia9+ll/Z2y0Ty6/DZ0EznTkz71W16hi54G8lnAvHBYl4x/YSaQjBKQHNd27AFDLDaTdFDofu+xQ1KA4cQL3cQmZ8r4NlUed+SzLj/2Zr3ZdtenX9OzqdQsafFoG/miVdWh51fRfsf+LfVmzRU85COPfY/rbj7lfhouNGzxFQ==" | |
| Content-Type: application/json | |
| Date: Tue, 30 Apr 2024 13:44:08 GMT | |
| Opc-Client-Info: Oracle-GoSDK/65.64.0 | |
| Opc-Client-Retries: true | |
| Opc-Request-Id: 64bed2bc8f0edc662a3dc2bc6d93e312 | |
| X-Content-Sha256: 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU= | |
| Accept-Encoding: gzip | |
| INFO 2024/04/30 13:44:08.792358 oci_http_transport_wrapper.go:41: Loading tls config from TLSConfigProvider |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment