我正在阅读有关利用 CSI 机密驱动程序安装通过提供给 pod创建的机密的官方文档。hashicorp
vault
一旦完成大量设置/样板工作,秘密似乎最终通过如下方式提供给SecretProviderClass
工作负载:
---
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: vault-db-creds
spec:
# Vault CSI Provider
provider: vault
parameters:
# Vault role name to use during login
roleName: 'app'
# Vault's hostname
vaultAddress: 'https://vault:8200'
# TLS CA certification for validation
vaultCACertPath: '/vault/tls/ca.crt'
objects: |
- objectName: "dbUsername"
secretPath: "database/creds/db-app"
secretKey: "username"
- objectName: "dbPassword"
secretPath: "database/creds/db-app"
secretKey: "password"
# "objectName" is an alias used within the SecretProviderClass to reference
# that specific secret. This will also be the filename containing the secret.
# "secretPath" is the path in Vault where the secret should be retrieved.
# "secretKey" is the key within the Vault secret response to extract a value from.
根据上述相关评论:
“objectName”是 SecretProviderClass 中用于引用该特定秘密的别名。这也将是包含秘密的文件名。
我认为这意味着 egdbUsername
不会作为环境变量随时提供给相应的 pod。
有没有办法将这些变量(例如dbUsername
等username
)作为环境变量公开给k8s
应用程序?
我最好的假设(在进行 PoC 之前)是对所有文件的迭代采购/path/where/all/vault/secrets/are/mounted/database/creds/
可能会解决问题,但我想知道是否有更好的选择,因为目前大多数云应用程序都希望这些秘密作为环境变量,因此重构代码以读取文件并不是一种替代方法。