从文件中获取的 Kubernetes env var 值

Question

我正在尝试部署 mariadb 部署，我有来自 GCP Secret Manager 的根密码并存储在卷安装中。 我需要一种方法来为环境变量提供该文件中的值，请检查第 38 行。

  1 apiVersion: apps/v1
  2 kind: Deployment
  3 metadata:
  4   name: mariadb-deployment
  5   namespace: readonly-ns
  6 spec:
  7   replicas:
  8   selector:
  9     matchLabels:
 10       app: mariadb
 11   template:
 12     metadata:
 13       labels:
 14         app: mariadb
 15     spec:
 16       volumes:
 17         - name: cert-volume
 18           emptyDir: {}
 19       serviceAccountName: readonly-sa
 20       initContainers:
 21         - name: init
 22           image: google/cloud-sdk:slim
 23           command: ["/bin/sh"]
 24           args:
 25             - -c
 26             - >-
 27                 gcloud secrets versions access "latest" --secret=bq-readonly-key > /etc/gsm/key.pem
 28           volumeMounts:
 29            - name: cert-volume
 30              mountPath: /etc/gsm/
 31       containers:
 32       - name: mariadb
 33         image: mariadb
 34         ports:
 35         - containerPort: 3306
 36         env:
 37         - name: MARIADB_ROOT_PASSWORD
 38           value: "/etc/gsm/key.pem"       # I need a way to give this env var a value from that file path
 39         volumeMounts:
 40          - name: cert-volume
 41            mountPath: /etc/gsm/

我无法在网上找到它，有 Secret 和 configMap ，但这些不是我的选择。

Answer 1

有一种方法可以使用具有在 Kubernetes 上创建和更新资源的权限的作业来创建秘密或配置映射。

ServiceAccount、Role 和 RoleBiding：

apiVersion: v1
kind: ServiceAccount
metadata:
  name: secret-creator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: secret-creator
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create", "update", "get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: secret-creator
subjects:
- kind: User
  name: system:serviceaccount:default:secret-creator
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: secret-creator
  apiGroup: rbac.authorization.k8s.io

工作：

apiVersion: batch/v1
kind: Job
metadata:
  name: secret-creator
spec:
  template:
    metadata:
    spec:
      volumes:
        - name: cert-volume
          persistentVolumeClaim:
            claimName: my-existent-pvc
      serviceAccountName: secret-creator
      serviceAccount: secret-creator
      containers:
      - image: bitnami/kubectl
        name: secret-creator
        command:
          - /bin/bash
          - -c
        args:
          - kubectl create secret generic app-x-secret --from-file=/etc/sec/key.pem
        resources: {}
        volumeMounts:
         - name: cert-volume
           mountPath: /etc/sec/key.pem
           subPath: key.pem
      restartPolicy: Never

部署：

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: app
  name: app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      containers:
      - image: bitnami/bitnami-shell
        name: app
        command:
        - /bin/bash
        - -c
        args:
        - sleep 360
        env:
          - name: APP_PASSWORD
            valueFrom:
              secretKeyRef:
                name: app-x-secret
                key: key.pem

Github：https://github.com/marcosrosse/k8s-secret-from-volume