将 Secret values/environment var 传递给 flexvol 选项
Pass Secret values/environment var to the flexvol options
我正在尝试使用 k8s 秘密或从我的本地环境中获取环境变量来设置 flexvol 选项值,这可能吗?
我可以看到 secrets 已成功挂载,但 flexvol 无法成功挂载。如果有的话,除了 secrets 之外还有什么不同的解决方案,不胜感激。
deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-deployment
namespace: default
labels:
app: my-deployment
spec:
replicas: 1
selector:
matchLabels:
app: my-deployment
template:
metadata:
labels:
app: my-deployment
spec:
containers:
- image: traefik:1.7.7-alpine
name: traefik
livenessProbe:
tcpSocket:
port: 80
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
volumeMounts:
- name: certs
mountPath: /certs
ports:
- name: http
containerPort: 80
protocol: TCP
env:
- name: KV_NAME
valueFrom:
secretKeyRef:
name: flexvol-var-secret
key: keyvaultname
- name: KV_OBJ_NAME
valueFrom:
secretKeyRef:
name: flexvol-var-secret
key: keyvaultobjectname
- name: TENANT_ID
valueFrom:
secretKeyRef:
name: flexvol-var-secret
key: tenantid
- name: RESOURCE_GROUP
valueFrom:
secretKeyRef:
name: flexvol-var-secret
key: resourcegroup
- name: SUB_ID
valueFrom:
secretKeyRef:
name: flexvol-var-secret
key: subscriptionid
volumes:
- name: certs
flexVolume:
driver: "azure/kv"
secretRef:
name: kvcreds
options:
keyvaultname: ${KV_NAME}
keyvaultobjectname: ${KV_OBJ_NAME}
keyvaultobjecttype: "secret"
tenantid: ${TENANT_ID}
resourcegroup: ${RESOURCE_GROUP}
subscriptionid: ${SUB_ID}
secret.yaml
kind: Secret
apiVersion: v1
metadata:
name: flexvol-var-secret
labels:
name: flexvol-var-secret
annotations:
description: Template for flexVolume variables values
stringData:
keyvaultname: "###"
keyvaultobjectname: "###"
tenantid: ""###"
resourcegroup: "###"
subscriptionid: "###"
我一直在研究同样的事情,如果没有外部工具,这真的不可能。
问题是flexvolume只是从secret中获取credentials,rest是配置,需要传入。你这里要做的本质上是变量替换,kubernetes没有,也不会支持: https://github.com/kubernetes/kubernetes/issues/52787#issuecomment-369645645
从好的方面来说,您可以使用任何工具将这些值替换为环境变量中的变量,从 bash/ps 脚本到适当的 kubernetes 部署解决方案,如 helm。
KV flexvolume 是开源的,因此也可以进行修改以处理此用例
我正在尝试使用 k8s 秘密或从我的本地环境中获取环境变量来设置 flexvol 选项值,这可能吗?
我可以看到 secrets 已成功挂载,但 flexvol 无法成功挂载。如果有的话,除了 secrets 之外还有什么不同的解决方案,不胜感激。
deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-deployment
namespace: default
labels:
app: my-deployment
spec:
replicas: 1
selector:
matchLabels:
app: my-deployment
template:
metadata:
labels:
app: my-deployment
spec:
containers:
- image: traefik:1.7.7-alpine
name: traefik
livenessProbe:
tcpSocket:
port: 80
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
volumeMounts:
- name: certs
mountPath: /certs
ports:
- name: http
containerPort: 80
protocol: TCP
env:
- name: KV_NAME
valueFrom:
secretKeyRef:
name: flexvol-var-secret
key: keyvaultname
- name: KV_OBJ_NAME
valueFrom:
secretKeyRef:
name: flexvol-var-secret
key: keyvaultobjectname
- name: TENANT_ID
valueFrom:
secretKeyRef:
name: flexvol-var-secret
key: tenantid
- name: RESOURCE_GROUP
valueFrom:
secretKeyRef:
name: flexvol-var-secret
key: resourcegroup
- name: SUB_ID
valueFrom:
secretKeyRef:
name: flexvol-var-secret
key: subscriptionid
volumes:
- name: certs
flexVolume:
driver: "azure/kv"
secretRef:
name: kvcreds
options:
keyvaultname: ${KV_NAME}
keyvaultobjectname: ${KV_OBJ_NAME}
keyvaultobjecttype: "secret"
tenantid: ${TENANT_ID}
resourcegroup: ${RESOURCE_GROUP}
subscriptionid: ${SUB_ID}
secret.yaml
kind: Secret
apiVersion: v1
metadata:
name: flexvol-var-secret
labels:
name: flexvol-var-secret
annotations:
description: Template for flexVolume variables values
stringData:
keyvaultname: "###"
keyvaultobjectname: "###"
tenantid: ""###"
resourcegroup: "###"
subscriptionid: "###"
我一直在研究同样的事情,如果没有外部工具,这真的不可能。
问题是flexvolume只是从secret中获取credentials,rest是配置,需要传入。你这里要做的本质上是变量替换,kubernetes没有,也不会支持: https://github.com/kubernetes/kubernetes/issues/52787#issuecomment-369645645
从好的方面来说,您可以使用任何工具将这些值替换为环境变量中的变量,从 bash/ps 脚本到适当的 kubernetes 部署解决方案,如 helm。
KV flexvolume 是开源的,因此也可以进行修改以处理此用例