如何在kubernetes中创建一个秘密文件

How to create a secret file in kubernetes

我有 yaml,我用它来使用下面的命令创建一个秘密。

kubectl create secret generic -n <NAMESPACE> gitlab-openid-connect --from-file=provider=provider.yaml

下面是Provider.yaml:

name: 'openid_connect'
label: 'OpenID SSO Login'
args:
  name: 'openid_connect'
  scope: ['openid','profile','email']
  response_type: 'code'
  issuer: 'https://keycloak.example.com/auth/realms/myrealm'
  discovery: true
  client_auth_method: 'basic'
  client_options:
    identifier: 'gitlab.example.com-oidc'
    secret: '<keycloak clientID secret>'
    redirect_uri: 'https://gitlab.example.com/users/auth/openid_connect/callback'

我想将它转换成 Secret yaml 文件,这样我就可以 运行 kubectl apply -f provider.yaml

我尝试创建以下文件,但它不起作用,provider-new.yaml

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: 'openid_connect'
  label: 'OpenID SSO Login'
data:
  scope: ['openid','profile','email']
  response_type: 'code'
  issuer: 'url'
  discovery: true
  client_auth_method: 'basic'
  client_options:
    identifier: 'identifier'
    secret: 'secret-key'
    redirect_uri: 'url'

要完成这项工作,您需要使用 --from-env-file 而不是 --from-file。并且包含变量的文件应该是纯文本。

To create a Secret from one or more files, use --from-file or --from-env-file. The file must be plaintext, but the extension of the file does not matter.

When you create the Secret using --from-file, the value of the Secret is the entire contents of the file. If the value of your Secret contains multiple key-value pairs, use --from-env-file instead.

文件 provider.yaml 变量:

scope= ['openid','profile','email']
response_type= 'code'
issuer= 'url'
discovery= true
client_auth_method= 'basic'
identifier= 'identifier'
secret= 'secret-key'
redirect_uri= 'url'
kubectl create secret generic -n default gitlab-openid-connect --from-env-file=provider.yaml

结果:

apiVersion: v1
data:
  client_auth_method: ICdiYXNpYyc=
  discovery: IHRydWU=
  identifier: ICdpZGVudGlmaWVyJw==
  issuer: ICd1cmwn
  redirect_uri: ICd1cmwn
  response_type: ICdjb2RlJw==
  scope: IFsnb3BlbmlkJywncHJvZmlsZScsJ2VtYWlsJ10=
  secret: ICdzZWNyZXQta2V5Jw==
kind: Secret
metadata:
  creationTimestamp: null
  name: gitlab-openid-connect
  namespace: default

另一件事是无法在秘密数据范围内建立层次结构,因此以下内容不会起作用:

client_options
  identifier= 'identifier'
  secret= 'secret-key'
  redirect_uri= 'url'

来源:google cloud