1

我正在使用带有 kubernetes 的外部保险库,我希望我的所有秘密都在 pod env 或 kubernetes 秘密中。我试着用

apiVersion: apps/v1
kind: Deployment
metadata:
  name: orgchart
  labels:
    app: orgchart
spec:
  selector:
    matchLabels:
      app: orgchart
  replicas: 1
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "devwebapp"
        vault.hashicorp.com/agent-inject-secret-config: "kv/secret/devwebapp/config"
        # Environment variable export template
        vault.hashicorp.com/agent-inject-template-config: |
          {{ with secret "kv/secret/devwebapp/config" -}}
            export user="{{ .Data.username }}"
            export pass="{{ .Data.password }}"
          {{- end }}
      labels:
        app: orgchart
    spec:
      serviceAccountName: devwebapp123
      containers:
        - name: orgchart
          image: jweissig/app:0.0.1
          args: ["sh", "-c", "source /vault/secrets/config"]

但是当我执行 pod env 时,env 中没有秘密

 kubectl exec -it orgchart-659b57dc47-2dwdf -c orgchart -- env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
TERM=xterm
HOSTNAME=orgchart-659b57dc47-2dwdf
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.233.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.233.0.1:443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_ADDR=10.233.0.1
KUBERNETES_SERVICE_HOST=10.233.0.1
HOME=/root

pod 中路径 /vault/secrets/config 上的文件已存在。之后我有2个问题。为什么它不起作用,为什么我如何将它注入 kubernetes 秘密

4

1 回答 1

0

您应该改用以下语法:

args: ["sh", "-c", "source /vault/secrets/config && <entry-point script>"]

将环境变量注入应用程序环境。如果我得到了正确的 docker image,入口点应该是/app/web.

可能需要覆盖默认值:

image:
  name: jweissig/app:0.0.1
  entrypoint: [""]
于 2021-08-23T19:53:16.803 回答