Ssl 两个kubernetes卷是否可以装载到同一个位置
我对库伯内特斯还很陌生,想弄明白。我还没能用谷歌搜索这个答案,所以我被难住了。库伯内特斯能在同一条路上隐藏两个秘密吗?假设有以下部署:Ssl 两个kubernetes卷是否可以装载到同一个位置,ssl,kubernetes,Ssl,Kubernetes,我对库伯内特斯还很陌生,想弄明白。我还没能用谷歌搜索这个答案,所以我被难住了。库伯内特斯能在同一条路上隐藏两个秘密吗?假设有以下部署: apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2 kind: Deployment metadata: name: nginx-deployment labels: app: nginx-deployment version: v1 spec: selec
apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx-deployment
version: v1
spec:
selector:
matchLabels:
app: nginx
replicas: 1
template:
metadata:
labels:
app: nginx
version: v1
spec:
volumes:
- name: nginxlocal
hostPath:
path: /srv/docker/nginx
- name: requestcert
secret:
secretName: requests-certificate
- name: mysitecert
secret:
secretName: mysitecert
containers:
- name: nginx
image: nginx:mainline-alpine # Use 1.15.0
volumeMounts:
- name: nginxlocal
subPath: config/nginx.conf
mountPath: /etc/nginx/nginx.conf
- name: requestcert
mountPath: /etc/nginx/ssl
- name: mysitecert
mountPath: /etc/nginx/ssl
- name: nginxlocal
subPath: logs
mountPath: /etc/nginx/logs
ports:
- containerPort: 443
是否可以将两个SSL证书装载到同一目录(/etc/nginx/SSL/*)
如果不是,将TLS证书+密钥存储为“不透明”而不是kubernetes.io/TLS类型是否可行?我试图将两个certs+密钥合并成一个tls类型的密钥,但kubernetes希望它被称为tls.crt和tls.key,因此我不得不将其拆分为两个秘密文件。如果它们可以作为不透明的,我想我可以删除两个秘密值,只使用一个不透明的条目
谢谢
是否可以将两个SSL证书装载到同一目录(/etc/nginx/SSL/*)
不,因为(至少在使用docker运行时)它使用卷装载,其行为与装载-t ext4/dev/something/path/something
完全相同,因为/path/something
将是最后一个赢家
但是,您只有一个稍微有点异味的解决方案可供使用:mount secretrequestcert
as/etc/nginx/.reqcert
(或类似),mount secretmysitecert
as/etc/nginx/.sitecert
,然后取代图像的入口点
,并将文件复制到位,然后再向下委托到实际入口点:
containers:
- name: nginx
image: etc etc
command:
- bash
- -c
- |
mkdir -p /etc/nginx/ssl
cp /etc/nginx/.*cert/* /etc/nginx/ssl/
# or whatever initialization you'd like
# then whatever the entrypoint is for your image
/usr/local/sbin/nginx -g "daemon off;"
或者,如果这看起来不是一个好主意,您可以利用一个一次性的、特定于Pod的目录与initContainers:
:
spec:
volumes:
# all the rest of them, as you had them
- name: temp-config
emptyDir: {}
initContainers:
- name: setup-config
image: busybox # or whatever
command:
- sh
- -c
- |
# "stage" all the config files, including certs
# into /nginx-config which will evaporate on Pod destruction
volumeMounts:
- name: temp-config
mountPath: /nginx-config
# and the rest
containers:
- name: nginx
# ...
volumeMounts:
- name: temp-config
mountPath: /etc/nginx
它们在复杂性上有所不同,这取决于您是否需要跟踪上游映像的entrypoint命令,而不是保持上游映像不变,但要花费更多的初始化能量。“投影的卷将多个现有卷源映射到同一目录中。”检查并确认