0

我正在阅读有关利用 CSI 机密驱动程序安装通过提供给 pod创建的机密的官方文档。hashicorpvault

一旦完成大量设置/样板工作,秘密似乎最终通过如下方式提供给SecretProviderClass工作负载

---
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: vault-db-creds
spec:
  # Vault CSI Provider
  provider: vault
  parameters:
    # Vault role name to use during login
    roleName: 'app'
    # Vault's hostname
    vaultAddress: 'https://vault:8200'
    # TLS CA certification for validation
    vaultCACertPath: '/vault/tls/ca.crt'
    objects: |
      - objectName: "dbUsername"
        secretPath: "database/creds/db-app"
        secretKey: "username"
      - objectName: "dbPassword"
        secretPath: "database/creds/db-app"
        secretKey: "password"
    # "objectName" is an alias used within the SecretProviderClass to reference
    # that specific secret. This will also be the filename containing the secret.
    # "secretPath" is the path in Vault where the secret should be retrieved.
    # "secretKey" is the key within the Vault secret response to extract a value from.

根据上述相关评论:

“objectName”是 SecretProviderClass 中用于引用该特定秘密的别名。这也将是包含秘密的文件名。

我认为这意味着 egdbUsername不会作为环境变量随时提供给相应的 pod。

有没有办法将这些变量(例如dbUsernameusername)作为环境变量公开给k8s应用程序?

我最好的假设(在进行 PoC 之前)是对所有文件的迭代采购/path/where/all/vault/secrets/are/mounted/database/creds/可能会解决问题,但我想知道是否有更好的选择,因为目前大多数云应用程序都希望这些秘密作为环境变量,因此重构代码以读取文件并不是一种替代方法。

4

0 回答 0