K8s - 秘密卷投影不创建文件

K8s - secrets volume projection doesn't create file

我在从模板 deployment.yaml 部署多个机密时遇到问题。出于某种原因,当我的应用程序尝试在部署中查找文件时,找不到它。秘密由来自 gopass 的 groovy 脚本获取。

这里是实际的简化版文件(指示级别应该合适)

apiVersion: apps/v1
kind: Deployment
metadata:
  name: "test-app"
spec:
  template:
    spec:
      containers:
      - name: "some-container"
        image: "imgtag"
        volumeMounts:
        - name: app-secrets
          mountPath: /app/secrets
      volumes:
      - name: app-secrets
        projected:
          sources:
          - secret:
            name: secret1
          - secret:
            name: secret2

旧版本(正确创建private_key.pem):

apiVersion: apps/v1
kind: Deployment
metadata:
  name: "test-app"
spec:
  template:
    spec:
      containers:
      - name: "some-container"
        image: "imgtag"
        volumeMounts:
          - name: app-secrets
            mountPath: /app/secrets
      volumes:
      - name: app-secrets
        secret:
          secretName: secret1

secrets.groovy:

def secrets() {
    [
        [type: "fromFile", name: "secret1", key: "private_key.pem", gopassPath: "firstGopassPath"],
        [type: "fromFile", name: "secret2", key: "credentials.txt", gopassPath: "secondGopassPath"]
    ]
}

return this

当我添加延迟(以避免崩溃)时,我发现这些文件没有安装到任何地方。

pod 的描述是这样的:

(这是在更新 kube 客户端之前)

Volumes:
  app-secrets:
  <unknown>

(这是在将 kube 客户端从 1.12.1 更新到 1.18 之后)

Volumes:
  app-secrets:
    Type:  Projected (a volume that contains injected data from multiple sources)

--更新--

kubectl get secret secret1 -o yaml

apiVersion: v1
data:
  old_private_key.pem: somekey
kind: Secret
metadata:
  creationTimestamp: "2020-04-22T15:31:43Z"
  name: jpd-sales-force-private-key
  namespace: default
  resourceVersion: "137791226"
  selfLink: /api/v1/namespaces/default/secrets/secret1
  uid: a4f71c36-81d0-44f8-87a0-a6100c6f9f01
type: Opaque

(注意:我正在尝试重命名文件 - 原来的文件是 private_key.pem,这里:old_private_key.pem,原来的 private_key.pem post 是真正的新文件名称,所以看起来没有出现文件的新名称)。

你们知道哪里出了问题吗?

我的问题的解决方案:

  1. 删除旧机密(修复了文件名更改):kubectl delete secret secret1
  2. secret1secret2 的名字级别太低了一级。改进版本:
apiVersion: apps/v1
kind: Deployment
metadata:
 name: "test-app"
spec:
 template:
   spec:
     containers:
     - name: "some-container"
       image: "imgtag"
       volumeMounts:
       - name: app-secrets
         mountPath: /app/secrets
     volumes:
     - name: app-secrets
       projected:
         sources:
         - secret:
             name: secret1
         - secret:
             name: secret2