K8s - 秘密卷投影不创建文件
K8s - secrets volume projection doesn't create file
我在从模板 deployment.yaml
部署多个机密时遇到问题。出于某种原因,当我的应用程序尝试在部署中查找文件时,找不到它。秘密由来自 gopass 的 groovy 脚本获取。
这里是实际的简化版文件(指示级别应该合适)
apiVersion: apps/v1
kind: Deployment
metadata:
name: "test-app"
spec:
template:
spec:
containers:
- name: "some-container"
image: "imgtag"
volumeMounts:
- name: app-secrets
mountPath: /app/secrets
volumes:
- name: app-secrets
projected:
sources:
- secret:
name: secret1
- secret:
name: secret2
旧版本(正确创建private_key.pem
):
apiVersion: apps/v1
kind: Deployment
metadata:
name: "test-app"
spec:
template:
spec:
containers:
- name: "some-container"
image: "imgtag"
volumeMounts:
- name: app-secrets
mountPath: /app/secrets
volumes:
- name: app-secrets
secret:
secretName: secret1
secrets.groovy
:
def secrets() {
[
[type: "fromFile", name: "secret1", key: "private_key.pem", gopassPath: "firstGopassPath"],
[type: "fromFile", name: "secret2", key: "credentials.txt", gopassPath: "secondGopassPath"]
]
}
return this
当我添加延迟(以避免崩溃)时,我发现这些文件没有安装到任何地方。
pod 的描述是这样的:
(这是在更新 kube 客户端之前)
Volumes:
app-secrets:
<unknown>
(这是在将 kube 客户端从 1.12.1 更新到 1.18 之后)
Volumes:
app-secrets:
Type: Projected (a volume that contains injected data from multiple sources)
--更新--
kubectl get secret secret1 -o yaml
apiVersion: v1
data:
old_private_key.pem: somekey
kind: Secret
metadata:
creationTimestamp: "2020-04-22T15:31:43Z"
name: jpd-sales-force-private-key
namespace: default
resourceVersion: "137791226"
selfLink: /api/v1/namespaces/default/secrets/secret1
uid: a4f71c36-81d0-44f8-87a0-a6100c6f9f01
type: Opaque
(注意:我正在尝试重命名文件 - 原来的文件是 private_key.pem,这里:old_private_key.pem,原来的 private_key.pem post 是真正的新文件名称,所以看起来没有出现文件的新名称)。
你们知道哪里出了问题吗?
我的问题的解决方案:
- 删除旧机密(修复了文件名更改):
kubectl delete secret secret1
secret1
和 secret2
的名字级别太低了一级。改进版本:
apiVersion: apps/v1
kind: Deployment
metadata:
name: "test-app"
spec:
template:
spec:
containers:
- name: "some-container"
image: "imgtag"
volumeMounts:
- name: app-secrets
mountPath: /app/secrets
volumes:
- name: app-secrets
projected:
sources:
- secret:
name: secret1
- secret:
name: secret2
我在从模板 deployment.yaml
部署多个机密时遇到问题。出于某种原因,当我的应用程序尝试在部署中查找文件时,找不到它。秘密由来自 gopass 的 groovy 脚本获取。
这里是实际的简化版文件(指示级别应该合适)
apiVersion: apps/v1
kind: Deployment
metadata:
name: "test-app"
spec:
template:
spec:
containers:
- name: "some-container"
image: "imgtag"
volumeMounts:
- name: app-secrets
mountPath: /app/secrets
volumes:
- name: app-secrets
projected:
sources:
- secret:
name: secret1
- secret:
name: secret2
旧版本(正确创建private_key.pem
):
apiVersion: apps/v1
kind: Deployment
metadata:
name: "test-app"
spec:
template:
spec:
containers:
- name: "some-container"
image: "imgtag"
volumeMounts:
- name: app-secrets
mountPath: /app/secrets
volumes:
- name: app-secrets
secret:
secretName: secret1
secrets.groovy
:
def secrets() {
[
[type: "fromFile", name: "secret1", key: "private_key.pem", gopassPath: "firstGopassPath"],
[type: "fromFile", name: "secret2", key: "credentials.txt", gopassPath: "secondGopassPath"]
]
}
return this
当我添加延迟(以避免崩溃)时,我发现这些文件没有安装到任何地方。
pod 的描述是这样的:
(这是在更新 kube 客户端之前)
Volumes:
app-secrets:
<unknown>
(这是在将 kube 客户端从 1.12.1 更新到 1.18 之后)
Volumes:
app-secrets:
Type: Projected (a volume that contains injected data from multiple sources)
--更新--
kubectl get secret secret1 -o yaml
apiVersion: v1
data:
old_private_key.pem: somekey
kind: Secret
metadata:
creationTimestamp: "2020-04-22T15:31:43Z"
name: jpd-sales-force-private-key
namespace: default
resourceVersion: "137791226"
selfLink: /api/v1/namespaces/default/secrets/secret1
uid: a4f71c36-81d0-44f8-87a0-a6100c6f9f01
type: Opaque
(注意:我正在尝试重命名文件 - 原来的文件是 private_key.pem,这里:old_private_key.pem,原来的 private_key.pem post 是真正的新文件名称,所以看起来没有出现文件的新名称)。
你们知道哪里出了问题吗?
我的问题的解决方案:
- 删除旧机密(修复了文件名更改):
kubectl delete secret secret1
secret1
和secret2
的名字级别太低了一级。改进版本:
apiVersion: apps/v1
kind: Deployment
metadata:
name: "test-app"
spec:
template:
spec:
containers:
- name: "some-container"
image: "imgtag"
volumeMounts:
- name: app-secrets
mountPath: /app/secrets
volumes:
- name: app-secrets
projected:
sources:
- secret:
name: secret1
- secret:
name: secret2