我有一个 K8 集群,它的 smb 挂载驱动器连接到 AWS 存储网关/文件共享。我们最近将该 SGW 迁移到另一个 AWS 账户,同时该 SGW 的 IP 地址和密码发生了变化。
我注意到我们现有的设置有一个 K8 存储类,用于查找名为“smbcreds”的 K8 机密。在那个 K8 秘密中,他们有密钥“用户名”和“密码”。我假设它符合我们使用“csi-driver-smb”的 Helm 图表的设置指南。
我假设更改用于存储类的秘密会更新使用该存储类的所有下游内容,但显然它没有。当谈到可能泄露重要数据时,我显然有点谨慎,我需要做什么来更新所有内容以使用新的秘密和 IP 配置?
这是我们在 Terraform 中设置的一个简单示例 -
provider "kubernetes" {
config_path = "~/.kube/config"
config_context = "minikube"
}
resource "helm_release" "container_storage_interface_for_aws" {
count = 1
name = "local-filesystem-csi"
repository = "https://raw.githubusercontent.com/kubernetes-csi/csi-driver-smb/master/charts"
chart = "csi-driver-smb"
namespace = "default"
}
resource "kubernetes_storage_class" "aws_storage_gateway" {
count = 1
metadata {
name = "smbmount"
}
storage_provisioner = "smb.csi.k8s.io"
reclaim_policy = "Retain"
volume_binding_mode = "WaitForFirstConsumer"
parameters = {
source = "//1.2.3.4/old-file-share"
"csi.storage.k8s.io/node-stage-secret-name" = "smbcreds"
"csi.storage.k8s.io/node-stage-secret-namespace" = "default"
}
mount_options = ["vers=3.0", "dir_mode=0777", "file_mode=0777"]
}
resource "kubernetes_persistent_volume_claim" "aws_storage_gateway" {
count = 1
metadata {
name = "smbmount-volume-claim"
}
spec {
access_modes = ["ReadWriteMany"]
resources {
requests = {
storage = "10Gi"
}
}
storage_class_name = "smbmount"
}
}
resource "kubernetes_deployment" "main" {
metadata {
name = "sample-pod"
}
spec {
replicas = 1
selector {
match_labels = {
app = "sample-pod"
}
}
template {
metadata {
labels = {
app = "sample-pod"
}
}
spec {
volume {
name = "shared-fileshare"
persistent_volume_claim {
claim_name = "smbmount-volume-claim"
}
}
container {
name = "ubuntu"
image = "ubuntu"
command = ["sleep", "3600"]
image_pull_policy = "IfNotPresent"
volume_mount {
name = "shared-fileshare"
read_only = false
mount_path = "/data"
}
}
}
}
}
}
我最初的更改是更改 K8 秘密“smbcreds”并更改source = "//1.2.3.4/old-file-share"为source = "//5.6.7.8/new-file-share"