kubectl-mapr-ticket

kubectl-mapr-ticket is a kubectl plugin that allows you to list and inspect MapR tickets deployed as Kubernetes secrets in a cluster.

MapR tickets are used by the MapR CSI driver to authenticate and authorize access to Persistent Volumes backed by MapR storage.

Installation

Using krew

The easiest way to install the plugin is using the krew plugin manager for kubectl. Once you have krew installed, you can install the plugin as follows:

$ kubectl krew install mapr-ticket
$ kubectl mapr-ticket --help

Using Release Binaries

You can download the latest release binaries from the releases page. Binaries are available for Linux and macOS for both AMD64 and ARM64 architectures.

Example installation of v0.4.1 for Apple Silicon (ARM64) macOS:

$ curl -LO https://github.com/nobbs/kubectl-mapr-ticket/releases/download/v0.4.1/kubectl-mapr-ticket-arm64-darwin.tar.gz
$ tar -xvf kubectl-mapr-ticket-arm64-darwin.tar.gz
$ mv ./kubectl-mapr-ticket /usr/local/bin
$ kubectl mapr-ticket --help

From Source

To install from source, you will need to have Go installed on your system. Once you have Go installed, you can build the plugin as follows:

$ git clone https://github.com/nobbs/kubectl-mapr-ticket.git
$ cd kubectl-mapr-ticket && CGO_ENABLED=0 go build -buildvcs=true -o ./bin/kubectl-mapr-ticket ./cmd && mv ./bin/kubectl-mapr-ticket /usr/local/bin
$ kubectl mapr-ticket --help

Usage

The plugin can be invoked using the kubectl mapr-ticket command. The plugin supports the following subcommands:

• inspect, alias i - Inspect the contents of a MapR ticket secret in the current namespace or a local file.
• secret, alias s - List all secrets containing MapR tickets in the current namespace and print some information about them.
• volume, alias pv - List all persistent volumes that use the specified MapR ticket secret and print some information about them.
• claim, alias pvc - List all persistent volume claims that use a MapR ticket in the current namespace.

Inspect

The inspect subcommand will print the contents of a MapR ticket secret in the current namespace or a MapR ticket from a local file. The output by default is a minimal JSON representation of the ticket. An optional --output flag can be used to instead print the ticket in YAML format. The optional --human-readable (-H) flag can be used to print the ticket in a human-readable format, pretty-printing the JSON output and converting UNIX timestamps to human-readable dates.

$ cat mapr_ticket
demo.mapr.com +Cze+qwYCbAXGbz56OO7UF+lGqL3WPXrNkO1SLawEEDmSbgNl019xBeBY3kvh+R13iz/mCnwpzsLQw4Y5jEnv5GtuIWbeoC95ha8VKwX8MKcE6Kn9nZ2AF0QminkHwNVBx6TDriGZffyJCfZzivBwBSdKoQEWhBOPFCIMAi7w2zV/SX5Ut7u4qIKvEpr0JHV7sLMWYLhYncM6CKMd7iECGvECsBvEZRVj+dpbEY0BaRN/W54/7wNWaSVELUF6JWHQ8dmsqty4cZlI0/MV10HZzIbl9sMLFQ=

$ kubectl mapr-ticket inspect --human-readable --file mapr_ticket
{
  "cluster": "demo.mapr.com",
  "ticket": {
    "expiryTime": "29229672-06-17T19:31:17+02:00",
    "creationTimeSec": "2018-04-04T16:31:37+02:00",
    "maxRenewalDurationSec": "0s",
    "encryptedTicket": "AggBendQDHJBpB80ZZpmpde/2DYxfbgEPOBjBZTgLNno844p0I5Y5OZ7PvUdbcS1HwvGQjOWnsX3oIS3F6ZrGLeNWxKwQW9VtQG7EcOZFFtHCFMjcnWU3RSGo6dRn8EndfObMZBbXAQYJks5Qw==",
    "userKey": {
      "key": "t4l3cSFODvinISYUr6C394nN9w3gbg+YspV4fIu+vkQ="
    },
    "userCreds": {
      "uid": 5000,
      "gids": [
        5000,
        0,
        5001
      ],
      "userName": "mapr"
    }
  }
}

Secrets

The secret subcommand will list all MapR tickets deployed as Secrets in the current namespace. The output by default will be a table that can be extended with the --output wide flag. Additional flags can be used to customize the output, see kubectl mapr-ticket secret --help for more details.

$ kubectl mapr-ticket secret
NAME                      MAPR CLUSTER         USER     STATUS              AGE
mapr-dev-ticket-user-a    demo.dev.mapr.com    user_a   Valid (4y left)     75d
mapr-dev-ticket-user-b    demo.dev.mapr.com    user_b   Valid (4y left)     75d
mapr-dev-ticket-user-c    demo.dev.mapr.com    user_c   Valid (4y left)     75d
mapr-prod-ticket-user-a   demo.prod.mapr.com   user_a   Expired (43d ago)   73d
mapr-prod-ticket-user-b   demo.prod.mapr.com   user_b   Expired (43d ago)   73d
mapr-prod-ticket-user-c   demo.prod.mapr.com   user_c   Expired (43d ago)   73d

Volumes

The volume subcommand will list all Persistent Volumes that are using a specific MapR ticket if a secret name is specified, or any ticket in the current namespace if no argument is provided. The output by default will be a table with the following columns. Additional flags can be used to customize the output, see kubectl mapr-ticket volume --help for more details.

$ kubectl mapr-ticket mapr-ticket-secret -n test-csi
NAME             SECRET NAMESPACE   SECRET               CLAIM NAMESPACE   CLAIM        TICKET STATUS         AGE
test-static-pv   test-csi           mapr-ticket-secret   default           test-claim   Not found / Invalid   13h
var-lib-mapr     test-csi           mapr-ticket-secret   default           test-var     Valid (4y left)       12d
expired-pv       test-csi           mapr-ticket-secret   default           test-exp     Expired (43d ago)     12d

Claims

The claim subcommand will list all Persistent Volume Claims in the current namespace that are using a MapR ticket. The output by default will be a table with the following columns. Additional flags can be used to customize the output, see kubectl mapr-ticket claim --help for more details.

$ kubectl mapr-ticket claim -n default
NAME         SECRET NAMESPACE   SECRET               VOLUME NAME      TICKET STATUS         AGE
test-claim   test-csi           mapr-ticket-secret   test-static-pv   Not found / Invalid   13h
test-var     test-csi           mapr-ticket-secret   var-lib-mapr     Valid (4y left)       12d
test-exp     test-csi           mapr-ticket-secret   expired-pv       Expired (43d ago)     12d

Shell Completion

The plugin supports shell completion for various shells. To enable shell completion, you will need to source the completion script for your shell. For example, to enable completion for zsh, you can run the following command:

$ source <(kubectl mapr-ticket completion zsh)

Note, that this is only local to your current shell session. To enable completion permanently, you either need to add the command to your shell profile or place the completion script in the appropriate location for your shell.

Unfortunately, the above setup will only provide completion for the kubectl-mapr_ticket command, not the actual kubectl mapr-ticket alias. To enable completion for the alias, you need to create a special kubectl_complete-mapr_ticket executable in your PATH that will delegate execution to the plugin. You can find an example of it in the hack directory. Place the script somewhere in your PATH and make sure it is executable, e.g. by running:

$ curl -LO https://github.com/nobbs/kubectl-mapr-ticket/raw/main/hack/kubectl_complete-mapr_ticket
$ chmod +x ./kubectl_complete-mapr_ticket
$ mv ./kubectl_complete-mapr_ticket /usr/local/bin

Does this require a connection to a MapR cluster?

No, this kubectl plugin does not require a connection to a MapR cluster. The plugin will inspect the secrets in the current namespace, filter them down to those that are MapR tickets, and then decode the ticket contents using this reverse-engineered ticket parser which is based on this blog post of mine.

Based on testing, the plugin is able to parse tickets starting at least from MapR 6.0.0 as the format did not receive any breaking changes since then.

License

This project is licensed under the MIT License - see the LICENSE file for details.