kubectl-mapr-ticket
is a kubectl
plugin that allows you to list and inspect MapR tickets deployed as Kubernetes secrets in a cluster.
MapR tickets are used by the MapR CSI driver to authenticate and authorize access to Persistent Volumes backed by MapR storage.
The easiest way to install the plugin is using the krew plugin manager for kubectl
. Once you have krew
installed, you can install the plugin as follows:
$ kubectl krew install mapr-ticket
$ kubectl mapr-ticket --help
You can download the latest release binaries from the releases page. Binaries are available for Linux and macOS for both AMD64 and ARM64 architectures.
Example installation of v0.4.1
for Apple Silicon (ARM64) macOS:
$ curl -LO https://github.com/nobbs/kubectl-mapr-ticket/releases/download/v0.4.1/kubectl-mapr-ticket-arm64-darwin.tar.gz
$ tar -xvf kubectl-mapr-ticket-arm64-darwin.tar.gz
$ mv ./kubectl-mapr-ticket /usr/local/bin
$ kubectl mapr-ticket --help
To install from source, you will need to have Go installed on your system. Once you have Go installed, you can build the plugin as follows:
$ git clone https://github.com/nobbs/kubectl-mapr-ticket.git
$ cd kubectl-mapr-ticket && CGO_ENABLED=0 go build -buildvcs=true -o ./bin/kubectl-mapr-ticket ./cmd && mv ./bin/kubectl-mapr-ticket /usr/local/bin
$ kubectl mapr-ticket --help
The plugin can be invoked using the kubectl mapr-ticket
command. The plugin supports the following subcommands:
inspect
, aliasi
- Inspect the contents of a MapR ticket secret in the current namespace or a local file.secret
, aliass
- List all secrets containing MapR tickets in the current namespace and print some information about them.volume
, aliaspv
- List all persistent volumes that use the specified MapR ticket secret and print some information about them.claim
, aliaspvc
- List all persistent volume claims that use a MapR ticket in the current namespace.
The inspect
subcommand will print the contents of a MapR ticket secret in the current namespace or a MapR ticket from a local file. The output by default is a minimal JSON representation of the ticket. An optional --output
flag can be used to instead print the ticket in YAML format. The optional --human-readable
(-H
) flag can be used to print the ticket in a human-readable format, pretty-printing the JSON output and converting UNIX timestamps to human-readable dates.
$ cat mapr_ticket
demo.mapr.com +Cze+qwYCbAXGbz56OO7UF+lGqL3WPXrNkO1SLawEEDmSbgNl019xBeBY3kvh+R13iz/mCnwpzsLQw4Y5jEnv5GtuIWbeoC95ha8VKwX8MKcE6Kn9nZ2AF0QminkHwNVBx6TDriGZffyJCfZzivBwBSdKoQEWhBOPFCIMAi7w2zV/SX5Ut7u4qIKvEpr0JHV7sLMWYLhYncM6CKMd7iECGvECsBvEZRVj+dpbEY0BaRN/W54/7wNWaSVELUF6JWHQ8dmsqty4cZlI0/MV10HZzIbl9sMLFQ=
$ kubectl mapr-ticket inspect --human-readable --file mapr_ticket
{
"cluster": "demo.mapr.com",
"ticket": {
"expiryTime": "29229672-06-17T19:31:17+02:00",
"creationTimeSec": "2018-04-04T16:31:37+02:00",
"maxRenewalDurationSec": "0s",
"encryptedTicket": "AggBendQDHJBpB80ZZpmpde/2DYxfbgEPOBjBZTgLNno844p0I5Y5OZ7PvUdbcS1HwvGQjOWnsX3oIS3F6ZrGLeNWxKwQW9VtQG7EcOZFFtHCFMjcnWU3RSGo6dRn8EndfObMZBbXAQYJks5Qw==",
"userKey": {
"key": "t4l3cSFODvinISYUr6C394nN9w3gbg+YspV4fIu+vkQ="
},
"userCreds": {
"uid": 5000,
"gids": [
5000,
0,
5001
],
"userName": "mapr"
}
}
}
The secret
subcommand will list all MapR tickets deployed as Secrets
in the current namespace. The output by default will be a table that can be extended with the --output wide
flag. Additional flags can be used to customize the output, see kubectl mapr-ticket secret --help
for more details.
$ kubectl mapr-ticket secret
NAME MAPR CLUSTER USER STATUS AGE
mapr-dev-ticket-user-a demo.dev.mapr.com user_a Valid (4y left) 75d
mapr-dev-ticket-user-b demo.dev.mapr.com user_b Valid (4y left) 75d
mapr-dev-ticket-user-c demo.dev.mapr.com user_c Valid (4y left) 75d
mapr-prod-ticket-user-a demo.prod.mapr.com user_a Expired (43d ago) 73d
mapr-prod-ticket-user-b demo.prod.mapr.com user_b Expired (43d ago) 73d
mapr-prod-ticket-user-c demo.prod.mapr.com user_c Expired (43d ago) 73d
The volume
subcommand will list all Persistent Volumes that are using a specific MapR ticket if a secret name is specified, or any ticket in the current namespace if no argument is provided. The output by default will be a table with the following columns. Additional flags can be used to customize the output, see kubectl mapr-ticket volume --help
for more details.
$ kubectl mapr-ticket mapr-ticket-secret -n test-csi
NAME SECRET NAMESPACE SECRET CLAIM NAMESPACE CLAIM TICKET STATUS AGE
test-static-pv test-csi mapr-ticket-secret default test-claim Not found / Invalid 13h
var-lib-mapr test-csi mapr-ticket-secret default test-var Valid (4y left) 12d
expired-pv test-csi mapr-ticket-secret default test-exp Expired (43d ago) 12d
The claim
subcommand will list all Persistent Volume Claims in the current namespace that are using a MapR ticket. The output by default will be a table with the following columns. Additional flags can be used to customize the output, see kubectl mapr-ticket claim --help
for more details.
$ kubectl mapr-ticket claim -n default
NAME SECRET NAMESPACE SECRET VOLUME NAME TICKET STATUS AGE
test-claim test-csi mapr-ticket-secret test-static-pv Not found / Invalid 13h
test-var test-csi mapr-ticket-secret var-lib-mapr Valid (4y left) 12d
test-exp test-csi mapr-ticket-secret expired-pv Expired (43d ago) 12d
The plugin supports shell completion for various shells. To enable shell completion, you will need to source the completion script for your shell. For example, to enable completion for zsh
, you can run the following command:
$ source <(kubectl mapr-ticket completion zsh)
Note, that this is only local to your current shell session. To enable completion permanently, you either need to add the command to your shell profile or place the completion script in the appropriate location for your shell.
Unfortunately, the above setup will only provide completion for the kubectl-mapr_ticket
command, not the actual kubectl mapr-ticket
alias. To enable completion for the alias, you need to create a special kubectl_complete-mapr_ticket
executable in your PATH
that will delegate execution to the plugin. You can find an example of it in the hack directory. Place the script somewhere in your PATH
and make sure it is executable, e.g. by running:
$ curl -LO https://github.com/nobbs/kubectl-mapr-ticket/raw/main/hack/kubectl_complete-mapr_ticket
$ chmod +x ./kubectl_complete-mapr_ticket
$ mv ./kubectl_complete-mapr_ticket /usr/local/bin
No, this kubectl
plugin does not require a connection to a MapR cluster. The plugin will inspect the secrets in the current namespace, filter them down to those that are MapR tickets, and then decode the ticket contents using this reverse-engineered ticket parser which is based on this blog post of mine.
Based on testing, the plugin is able to parse tickets starting at least from MapR 6.0.0 as the format did not receive any breaking changes since then.
This project is licensed under the MIT License - see the LICENSE file for details.