Warning: file_get_contents(/data/phpspider/zhask/data//catemap/7/kubernetes/5.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Ssl 两个kubernetes卷是否可以装载到同一个位置_Ssl_Kubernetes - Fatal编程技术网
Fatal编程技术网
  • ssl/
  • Ssl 两个kubernetes卷是否可以装载到同一个位置

Ssl 两个kubernetes卷是否可以装载到同一个位置

ssl kubernetes

Ssl 两个kubernetes卷是否可以装载到同一个位置,ssl,kubernetes,Ssl,Kubernetes,我对库伯内特斯还很陌生,想弄明白。我还没能用谷歌搜索这个答案,所以我被难住了。库伯内特斯能在同一条路上隐藏两个秘密吗?假设有以下部署: apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2 kind: Deployment metadata: name: nginx-deployment labels: app: nginx-deployment version: v1 spec: selec

我对库伯内特斯还很陌生,想弄明白。我还没能用谷歌搜索这个答案,所以我被难住了。库伯内特斯能在同一条路上隐藏两个秘密吗?假设有以下部署:

apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx-deployment
    version: v1
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 1
  template:
    metadata:
      labels:
        app: nginx
        version: v1
    spec:
      volumes:
      - name: nginxlocal
        hostPath:
          path: /srv/docker/nginx
      - name: requestcert
        secret:
          secretName: requests-certificate
      - name: mysitecert
        secret:
          secretName: mysitecert
      containers:
      - name: nginx
        image: nginx:mainline-alpine # Use 1.15.0
        volumeMounts:
        - name: nginxlocal
          subPath: config/nginx.conf
          mountPath: /etc/nginx/nginx.conf
        - name: requestcert
          mountPath: /etc/nginx/ssl
        - name: mysitecert
          mountPath: /etc/nginx/ssl
        - name: nginxlocal
          subPath: logs
          mountPath: /etc/nginx/logs
        ports:
        - containerPort: 443
是否可以将两个SSL证书装载到同一目录(/etc/nginx/SSL/*)

如果不是,将TLS证书+密钥存储为“不透明”而不是kubernetes.io/TLS类型是否可行?我试图将两个certs+密钥合并成一个tls类型的密钥,但kubernetes希望它被称为tls.crt和tls.key,因此我不得不将其拆分为两个秘密文件。如果它们可以作为不透明的,我想我可以删除两个秘密值,只使用一个不透明的条目

谢谢

是否可以将两个SSL证书装载到同一目录(/etc/nginx/SSL/*)

不,因为(至少在使用docker运行时)它使用卷装载,其行为与
装载-t ext4/dev/something/path/something
完全相同,因为
/path/something
将是最后一个赢家

但是,您只有一个稍微有点异味的解决方案可供使用:mount secret
requestcert
as
/etc/nginx/.reqcert
(或类似),mount secret
mysitecert
as
/etc/nginx/.sitecert
,然后取代图像的
入口点
,并将文件复制到位,然后再向下委托到实际入口点:

containers:
- name: nginx
  image: etc etc
  command:
  - bash
  - -c
  - |
    mkdir -p /etc/nginx/ssl
    cp /etc/nginx/.*cert/* /etc/nginx/ssl/
    # or whatever initialization you'd like

    # then whatever the entrypoint is for your image
    /usr/local/sbin/nginx -g "daemon off;"
或者,如果这看起来不是一个好主意,您可以利用一个一次性的、特定于Pod的目录与
initContainers:

spec:
  volumes:
  # all the rest of them, as you had them
  - name: temp-config
    emptyDir: {}
  initContainers:
  - name: setup-config
    image: busybox  # or whatever
    command:
    - sh
    - -c
    - |
       # "stage" all the config files, including certs
       # into /nginx-config which will evaporate on Pod destruction
    volumeMounts:
    - name: temp-config
      mountPath: /nginx-config
    # and the rest

  containers:
  - name: nginx
    # ...
    volumeMounts:
    - name: temp-config
      mountPath: /etc/nginx
它们在复杂性上有所不同,这取决于您是否需要跟踪上游映像的entrypoint命令,而不是保持上游映像不变,但要花费更多的初始化能量。

“投影的卷将多个现有卷源映射到同一目录中。”检查并确认