从作业创建或编辑 Kubernetes 机密
Create or edit Kubernetes secret from a job
我正在尝试从 Kubernetes 作业生成 Kubernetes 机密。秘密是TLS证书,用于elasticsearch传输,我试过这个工作:
apiVersion: batch/v1
kind: Job
metadata:
name: conso-security-tls-gen-certs
spec:
template:
spec:
containers:
- name: generator
volumeMounts:
- name: certs
mountPath: "/certs"
image: "docker.elastic.co/elasticsearch/elasticsearch:7.4.2"
command: ["/bin/sh", "-c"]
args:
- "bin/elasticsearch-certutil ca (...) --silent -out /certs/bundle.p12"
restartPolicy: Never
volumes:
- name: certs
secret:
secretName: conso-security-tls-certs
backoffLimit: 4
但是正如 https://github.com/kubernetes/kubernetes/issues/62099 所说,卷 /certs 是只读的。有没有办法像这样create/edit这个秘密?
一旦 container/pod 消失,Volumes from secrets 也消失。此外,更新从 Secret 创建的卷中的文件不会更新 Secret 本身。
作业的目标似乎是生成一个证书并创建或更新一个 Secret object with that cert? If that is the case I'd suggest looking into using the Kubernetes API or kubectl to manipulate Secrets from within the running container. You'd need to set up and use a Service Account,该 Secret object with that cert? If that is the case I'd suggest looking into using the Kubernetes API or kubectl to manipulate Secrets from within the running container. You'd need to set up and use a Service Account 有权使用给定命名空间中的 Secrets。
我正在尝试从 Kubernetes 作业生成 Kubernetes 机密。秘密是TLS证书,用于elasticsearch传输,我试过这个工作:
apiVersion: batch/v1
kind: Job
metadata:
name: conso-security-tls-gen-certs
spec:
template:
spec:
containers:
- name: generator
volumeMounts:
- name: certs
mountPath: "/certs"
image: "docker.elastic.co/elasticsearch/elasticsearch:7.4.2"
command: ["/bin/sh", "-c"]
args:
- "bin/elasticsearch-certutil ca (...) --silent -out /certs/bundle.p12"
restartPolicy: Never
volumes:
- name: certs
secret:
secretName: conso-security-tls-certs
backoffLimit: 4
但是正如 https://github.com/kubernetes/kubernetes/issues/62099 所说,卷 /certs 是只读的。有没有办法像这样create/edit这个秘密?
Volumes from secrets 也消失。此外,更新从 Secret 创建的卷中的文件不会更新 Secret 本身。
作业的目标似乎是生成一个证书并创建或更新一个 Secret object with that cert? If that is the case I'd suggest looking into using the Kubernetes API or kubectl to manipulate Secrets from within the running container. You'd need to set up and use a Service Account,该 Secret object with that cert? If that is the case I'd suggest looking into using the Kubernetes API or kubectl to manipulate Secrets from within the running container. You'd need to set up and use a Service Account 有权使用给定命名空间中的 Secrets。