如何从 hashicorp 保险库检索 tls(ssl 证书)机密到入口?
我已经在 kubernetes (openstack) 中部署了一个带有入口 nginx 和 hashicorp 保险库的微服务。 tls 密钥存储在 hashicorp 保险库中。我创建了一个秘密提供者类:
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: sslspc
spec:
provider: vault
secretObjects:
- secretName: sslspc
data:
- key: "tls.key"
objectName: TLSKey
- key: "tls.crt"
objectName: TLSCert
type: kubernetes.io/tls
parameters:
vaultAddress: http://vault.vault:8200
roleName: "approle"
objects: |
- objectName: TLSKey
secretPath: "secret/data/myssl"
secretKey: "tls.key"
- objectName: TLSCert
secretPath: "secret/data/myssl"
secretKey: "tls.crt"
但不能直接在ingress中使用。我必须创建一个正在创建卷并将其映射到环境的 pod:
apiVersion: apps/v1
kind: Deployment
metadata:
name: depssl
labels:
app: appbusy
spec:
replicas: 1
selector:
matchLabels:
app: appbusy
template:
metadata:
labels:
app: appbusy
spec:
serviceAccountName: mysa
containers:
- name: appbusy
image: busybox
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "while true; do sleep 300;done"]
env:
- name: TLS.KEY
valueFrom:
secretKeyRef:
name: sslspc
key: tls.key
- name: TLS.CRT
valueFrom:
secretKeyRef:
name: sslspc
key: tls.crt
volumeMounts:
- name: sslspc
mountPath: "/mnt/secrets-store"
readOnly: true
volumes:
- name: sslspc
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "sslspc"
在此之后我可以在我的 ingress 中使用它:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
tls:
- hosts:
- example.com
secretName: sslspc
rules:
- host: example.com
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: myservice
port:
number: 80
是否可以在不为映射目的创建额外的 pod 的情况下检索入口中的秘密?
更新(03/2023): 根据我的研究,目前这是不可能的。带有 sidecar 等的解决方案会使它变得更加复杂,并且您正在使用更多资源。所以最后我创建了一个简单的 busybox 部署来创建秘密(见上文)。这似乎是最简单且占用资源较少的解决方案。