如何将敏感数据传递给提交的 helm 值文件?
How to pass sensitive data to helm values file that is committed?
我正在使用 Helm 安装 kube-prometheus-stack,我正在向需要身份验证的 Prometheus 添加一些客户抓取配置。我需要在 values.yaml 文件中用 username 和 password 传递 basic_auth。
问题是我需要将 values.yaml 文件提交到 repo,所以我想知道如何在 values 文件上设置用户名和密码,可能来自 Kubernetes 中的秘密或其他方式?
prometheus:
prometheusSpec:
additionalScrapeConfigs:
- job_name: myjob
scrape_interval: 20s
metrics_path: /metrics
static_configs:
- targets:
- myservice.default.svc.cluster.local:80
basic_auth:
username: prometheus
password: prom123456
Scrape config 支持指定 password_file 参数,因此您可以在卷和 volumemMounts 中挂载自己的秘密:
免责声明,我自己没有测试过,没有使用 kube-prometheus-stack,但我想这样的东西应该可以工作:
prometheus:
prometheusSpec:
additionalScrapeConfigs:
- job_name: myjob
scrape_interval: 20s
metrics_path: /metrics
static_configs:
- targets:
- myservice.default.svc.cluster.local:80
basic_auth:
password_file: /etc/scrape_passwordfile
# Additional volumes on the output StatefulSet definition.
volumes:
- name: scrape_passwordfile
secret:
secretName: scrape_passwordfile
optional: false
# Additional VolumeMounts on the output StatefulSet definition.
volumeMounts:
- name: scrape_passwordfile
mountPath: "/etc/scrape_passwordfile"
另一种选择是放弃 additionalScrapeConfigs 并使用 additionalScrapeConfigsSecret 将整个配置存储在秘密中
## If additional scrape configurations are already deployed in a single secret file you can use this section.
## Expected values are the secret name and key
## Cannot be used with additionalScrapeConfigs
additionalScrapeConfigsSecret: {}
# enabled: false
# name:
# key:
我正在使用 Helm 安装 kube-prometheus-stack,我正在向需要身份验证的 Prometheus 添加一些客户抓取配置。我需要在 values.yaml 文件中用 username 和 password 传递 basic_auth。
问题是我需要将 values.yaml 文件提交到 repo,所以我想知道如何在 values 文件上设置用户名和密码,可能来自 Kubernetes 中的秘密或其他方式?
prometheus:
prometheusSpec:
additionalScrapeConfigs:
- job_name: myjob
scrape_interval: 20s
metrics_path: /metrics
static_configs:
- targets:
- myservice.default.svc.cluster.local:80
basic_auth:
username: prometheus
password: prom123456
Scrape config 支持指定 password_file 参数,因此您可以在卷和 volumemMounts 中挂载自己的秘密:
免责声明,我自己没有测试过,没有使用 kube-prometheus-stack,但我想这样的东西应该可以工作:
prometheus:
prometheusSpec:
additionalScrapeConfigs:
- job_name: myjob
scrape_interval: 20s
metrics_path: /metrics
static_configs:
- targets:
- myservice.default.svc.cluster.local:80
basic_auth:
password_file: /etc/scrape_passwordfile
# Additional volumes on the output StatefulSet definition.
volumes:
- name: scrape_passwordfile
secret:
secretName: scrape_passwordfile
optional: false
# Additional VolumeMounts on the output StatefulSet definition.
volumeMounts:
- name: scrape_passwordfile
mountPath: "/etc/scrape_passwordfile"
另一种选择是放弃 additionalScrapeConfigs 并使用 additionalScrapeConfigsSecret 将整个配置存储在秘密中
## If additional scrape configurations are already deployed in a single secret file you can use this section.
## Expected values are the secret name and key
## Cannot be used with additionalScrapeConfigs
additionalScrapeConfigsSecret: {}
# enabled: false
# name:
# key: