如何使用环境变量通过 Vault Agent 容器将机密注入 Kubernetes pod
大家好,我需要你们的帮助。我正在尝试通过 Vault 向 Kubernetes 集群执行秘密注入,但我正在努力将从 Vault 检索到的内容设置为全局变量。这是我的部署:
`apiVersion: apps/v1
kind: Deployment
metadata:
name: app-pyth
labels:
app: app-pyth
spec:
replicas: 2
selector:
matchLabels:
app: app-pyth
template:
metadata:
labels:
app: app-pyth
annotations:
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/role: 'internal-app'
vault.hashicorp.com/agent-inject-secrets: 'internal/data/database/config'
vault.hashicorp.com/agent-inject-template-secrets: |
{{- with secret "internal/data/database/config" -}}
export USERNAME={{ .Data.data.username }}
export PASSWORD={{ .Data.data.password }}
export ROOT_PASSWORD={{ .Data.data.rootpassword }}
export DATABASE={{ .Data.data.database }}
export HOST={{ .Data.data.host }}
{{- end -}}
spec:
serviceAccountName: internal-app
containers:
\- name: myapp
image: adouadi/python:latest
ports:
\- containerPort: 80
command: \['/bin/bash', '-c', \]
args: \['source /vault/secrets/secrets'\]. `
我没有这样的入口点脚本:['source /vault/secrets/config &&
解决了!!!您需要为脚本设置入口点,因为 Kubernetes 配置中的“命令”选项会覆盖入口点,尽管有 Docker 映像,所以您应该这样做:
command:
['/bin/bash', '-c']
args:
['source /vault/secrets/secrets && uvicorn main:app --host=0.0.0.0 --port=80']