Kubernetes 将秘密值/环境变量传递给flexvol选项
我试图使用k8s机密或使用本地环境中的环境变量来设置flexvol选项值,这可能吗 我可以看到秘密成功挂载,但flexvol无法成功挂载。如果有秘密以外的其他解决方案,请谅解 部署.yamlKubernetes 将秘密值/环境变量传递给flexvol选项,kubernetes,azure-keyvault,azure-aks,Kubernetes,Azure Keyvault,Azure Aks,我试图使用k8s机密或使用本地环境中的环境变量来设置flexvol选项值,这可能吗 我可以看到秘密成功挂载,但flexvol无法成功挂载。如果有秘密以外的其他解决方案,请谅解 部署.yaml apiVersion: apps/v1 kind: Deployment metadata: name: my-deployment namespace: default labels: app: my-deployment spec: replicas: 1 selector:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-deployment
namespace: default
labels:
app: my-deployment
spec:
replicas: 1
selector:
matchLabels:
app: my-deployment
template:
metadata:
labels:
app: my-deployment
spec:
containers:
- image: traefik:1.7.7-alpine
name: traefik
livenessProbe:
tcpSocket:
port: 80
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
volumeMounts:
- name: certs
mountPath: /certs
ports:
- name: http
containerPort: 80
protocol: TCP
env:
- name: KV_NAME
valueFrom:
secretKeyRef:
name: flexvol-var-secret
key: keyvaultname
- name: KV_OBJ_NAME
valueFrom:
secretKeyRef:
name: flexvol-var-secret
key: keyvaultobjectname
- name: TENANT_ID
valueFrom:
secretKeyRef:
name: flexvol-var-secret
key: tenantid
- name: RESOURCE_GROUP
valueFrom:
secretKeyRef:
name: flexvol-var-secret
key: resourcegroup
- name: SUB_ID
valueFrom:
secretKeyRef:
name: flexvol-var-secret
key: subscriptionid
volumes:
- name: certs
flexVolume:
driver: "azure/kv"
secretRef:
name: kvcreds
options:
keyvaultname: ${KV_NAME}
keyvaultobjectname: ${KV_OBJ_NAME}
keyvaultobjecttype: "secret"
tenantid: ${TENANT_ID}
resourcegroup: ${RESOURCE_GROUP}
subscriptionid: ${SUB_ID}
亚马尔的秘密
kind: Secret
apiVersion: v1
metadata:
name: flexvol-var-secret
labels:
name: flexvol-var-secret
annotations:
description: Template for flexVolume variables values
stringData:
keyvaultname: "###"
keyvaultobjectname: "###"
tenantid: ""###"
resourcegroup: "###"
subscriptionid: "###"
我一直在研究同样的事情,如果没有外部工具,这是不可能的 问题是flexvolume只从secret获取凭据,而rest被视为配置,需要传入。这里需要做的基本上是变量替换,kubernetes不支持,也不会支持: 好的一面是,您可以使用任何工具将这些值替换为来自env变量、bash/ps脚本以及合适的kubernetes部署解决方案(如helm)的变量
KV flexvolume是开源的,因此也可以修改以处理此用例我在flexvol repo中发现了一个公开的问题,该问题是关于将keyvault中的秘密作为环境变量装入容器中,而不是使用kubernetes secret装入keyvault:):)如果您发现我的答案有用,请不要忘记向上投票并接受