[英]Openshift/kubernetes: map serviceaccount secret to an environment variable
Is there a way to populate the serviceaccount secrets content to an environment variable? 有没有一种方法可以将serviceaccount机密内容填充到环境变量中?
Example: when a pod is started, it contains a /var/run/secrets/kubernetes.io/secrets/serviceaccount/
folder that contains token
, ca.crt
... and other that is the result to map the serviceaccount
sercret to a folder. 示例:启动Pod时,它包含一个
/var/run/secrets/kubernetes.io/secrets/serviceaccount/
文件夹,其中包含token
, ca.crt
...以及其他将serviceaccount
sercret映射到a的结果夹。
Is there anyway to map serviceaccountsecret.token
to an environment variable? 无论如何,将
serviceaccountsecret.token
映射到环境变量?
EDIT 编辑
I'm deploying kubernetes/openshift objects using fabric8 maven plugin. 我正在使用fabric8 maven插件部署kubernetes / openshift对象。 Nevertheless, I was looking for a way of setting this information up on PodSpec.
不过,我一直在寻找一种在PodSpec上设置此信息的方法。
So, currently openshift/kubernetes is mapping service account information located into secrets and then it's automatically mapped to filesystem (`/var/run...). 因此,当前openshift / kubernetes会将服务帐户信息映射到机密信息中,然后将其自动映射到文件系统(`/ var / run ...)。
I'm looking for a way to map this "unknown" service account secret to environment variable (I mean, I don't know which is the name of this secret, when I'm creating PodSpec). 我正在寻找一种方法来将此“未知”服务帐户密码映射到环境变量(我的意思是,我在创建PodSpec时不知道此密码的名称)。
$ oc get secrets
NAME TYPE DATA AGE
builder-dockercfg-hplx4 kubernetes.io/dockercfg 1 43m
builder-token-bkd8h kubernetes.io/service-account-token 4 43m
builder-token-gpckp kubernetes.io/service-account-token 4 43m
default-dockercfg-q2vpx kubernetes.io/dockercfg 1 43m
default-token-hpr7l kubernetes.io/service-account-token 4 43m
default-token-r5225 kubernetes.io/service-account-token 4 43m
deployer-dockercfg-6h7nw kubernetes.io/dockercfg 1 43m
deployer-token-svmvf kubernetes.io/service-account-token 4 43m
deployer-token-tmg9x kubernetes.io/service-account-token 4 43m
vault-cert kubernetes.io/tls 2 42m
As you can see, openshiftshift/kubernetes creates secrets regarding with each service account: 如您所见,openshiftshift / kubernetes创建与每个服务帐户有关的秘密:
$ oc get sa
NAME SECRETS AGE
builder 2 44m
default 2 44m
deployer 2 44m
Each secret has a form like: 每个秘密的格式如下:
$ oc describe secret default-token-hpr7l
Name: default-token-hpr7l
Namespace: ra-sec
Labels: <none>
Annotations: kubernetes.io/created-by=openshift.io/create-dockercfg-secrets
kubernetes.io/service-account.name=default
kubernetes.io/service-account.uid=82ae89d7-898a-11e8-8d35-f28ae3e0478e
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1070 bytes
namespace: 6 bytes
service-ca.crt: 2186 bytes
token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJyYS1zZWMiLCJrdWJlcm5ldGVzLmlvL3Nl...
Each secret is mapped to filesystem automatically. 每个机密会自动映射到文件系统。 Nevertheless, I'd like to write into PodSpec:
不过,我想写PodSpec:
env:
- name: KUBERNETES_TOKEN
valueFrom:
secretKeyRef:
name: <unknown service account secret name>
key: token
I hope I've explianed a bit better. 我希望我能好一点。
You can create a secret annotated with kubernetes.io/service-account.name
annotation. 您可以创建一个带有
kubernetes.io/service-account.name
批注的机密。
This annotation provides related service account information to current secret. 此批注提供当前机密的相关服务帐户信息。
apiVersion: v1
kind: Secret
metadata:
name: vault-auth-secret
annotations:
kubernetes.io/service-account.name: vault-auth
type: kubernetes.io/service-account-token
By this way, you are able to create a named secret with desired data. 这样,您便可以使用所需数据创建命名机密。
- name: KUBERNETES_TOKEN
valueFrom:
secretKeyRef:
name: vault-auth-secret
key: token
How are you deploying your application, S2I? 您如何部署应用程序S2I?
If yes, you can use a custom .s2i/bin/run
script to set it yourself from the contents of the file and then run the original S2I run
script. 如果是,则可以使用自定义
.s2i/bin/run
脚本从文件内容中.s2i/bin/run
设置它,然后运行原始的S2I run
脚本。
See the chapter 'Customizing Source-to-Image Builds' in the free eBook: 请参阅免费电子书中的“自定义源到图像构建”一章:
for more details. 更多细节。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.