我正在使用 Flink 的 Kubernetes pod 运算符(在 AWS EKS 集群中)来部署 Flink 作业,并尝试为检查点和保存点设置 AWS S3 位置目录。我必须将 s3 访问/秘密密钥传递给
flink-conf.yaml
但我不想将纯凭证字符串放入配置中并提交给 git。
apiVersion: v1
kind: Secret
metadata:
namespace: flink-stage
name: flink-secrets
type: Opaque
data:
# base64 encoded!
s3.access_key: <key>
s3.secret_key: <secret>
如何引用conf yaml中的秘密,我尝试过使用秘密引用,但它不起作用
apiVersion: flink.apache.org/v1beta1
kind: FlinkDeployment
metadata:
name: nrt-sessionizer
spec:
image: flink:1.17
flinkVersion: v1_17
flinkConfiguration:
taskmanager.numberOfTaskSlots: "4"
s3.access-key:
valueFrom:
secretKeyRef:
key: s3.access_key
name: flink-secrets
s3.secret-key:
valueFrom:
secretKeyRef:
key: s3.secret_key
name: flink-secrets
error: error validating "infra/flink-k8/overlays/prod": error validating data:
[ValidationError(FlinkDeployment.spec.flinkConfiguration.s3.access-key): invalid type for org.apache.flink.v1beta1.FlinkDeployment.spec.flinkConfiguration: got "map", expected "string",
ValidationError(FlinkDeployment.spec.flinkConfiguration.s3.secret-key): invalid type for org.apache.flink.v1beta1.FlinkDeployment.spec.flinkConfiguration: got "map", expected "string"];
if you choose to ignore these errors, turn validation off with --validate=false
注意:使用 InitContainer 更改 flink-conf.yaml 内容不会 可以工作,因为 ConfigMap 是只读的。
请建议如何将秘密传递给
flink-conf.yaml
。
我通过在部署 yaml 中设置以下配置解决了该问题:K8 Pod 正在 EKS 中以假定的角色运行。我们可以告诉 Flink 使用下面提到的类来承担 ENV 变量中提供的角色,而不是传递密钥/秘密。
fs.s3a.aws.credentials.provider: "com.amazonaws.auth.WebIdentityTokenCredentialsProvider"
apiVersion: flink.apache.org/v1beta1
kind: FlinkDeployment
metadata:
name: nrt-sessionizer
spec:
image: flink:1.17
flinkVersion: v1_17
flinkConfiguration:
taskmanager.numberOfTaskSlots: "4"
fs.s3a.aws.credentials.provider: "com.amazonaws.auth.WebIdentityTokenCredentialsProvider"