我正在使用带有 kubernetes 的外部保险库,我希望我的所有秘密都在 pod env 或 kubernetes 秘密中。我试着用
apiVersion: apps/v1
kind: Deployment
metadata:
name: orgchart
labels:
app: orgchart
spec:
selector:
matchLabels:
app: orgchart
replicas: 1
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "devwebapp"
vault.hashicorp.com/agent-inject-secret-config: "kv/secret/devwebapp/config"
# Environment variable export template
vault.hashicorp.com/agent-inject-template-config: |
{{ with secret "kv/secret/devwebapp/config" -}}
export user="{{ .Data.username }}"
export pass="{{ .Data.password }}"
{{- end }}
labels:
app: orgchart
spec:
serviceAccountName: devwebapp123
containers:
- name: orgchart
image: jweissig/app:0.0.1
args: ["sh", "-c", "source /vault/secrets/config"]
但是当我执行 pod env 时,env 中没有秘密
kubectl exec -it orgchart-659b57dc47-2dwdf -c orgchart -- env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
TERM=xterm
HOSTNAME=orgchart-659b57dc47-2dwdf
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.233.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.233.0.1:443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_ADDR=10.233.0.1
KUBERNETES_SERVICE_HOST=10.233.0.1
HOME=/root
pod 中路径 /vault/secrets/config 上的文件已存在。之后我有2个问题。为什么它不起作用,为什么我如何将它注入 kubernetes 秘密