#创作灵感#
最近工作中遇到了一个task,是关于通过修改servicebinding的yaml文件的annotations来实现对secret的自动rotate.
同样的方式也可以对pod deployment service等资源进行动态更改
修改前的yaml文件如下:
apiVersion: v1
kind: ServiceBinding
metadata:
annotations:
argocd.argoproj.io/sync-wave: "2"
...
spec:
credentialsRotationPolicy:
enabled: false
rotatedBindingTTL: 72h
rotationFrequency: 1500h
externalName: xxx
secretName: xxx
...
针对这个resource, 我们需要在annotations中添加一段"services.cloud.sap.com/forceRotate": "true"
并且将credentialsRotationPolicy
的enabled
设置为true
具体的操作如下:
json_patch='{"metadata":{"annotations":{"services.cloud.sap.com/forceRotate": "true"}},"spec":{"credentialsRotationPolicy":{"enabled":true,"rotationFrequency":"'$rotationFrequency'"}}}'
kubectl patch servicebinding $service_binding_name -n $ns --type merge --patch "$json_patch"
修改后输出yaml变成了
apiVersion: v1
kind: ServiceBinding
metadata:
annotations:
argocd.argoproj.io/sync-wave: "2"
...
spec:
credentialsRotationPolicy:
enabled: true
rotatedBindingTTL: 72h
rotationFrequency: 1500h
externalName: xxx
secretName: xxx
...