使用在 Kubernetes 集群上运行的应用程序的密钥文件

Question

I'm trying to use a key file in my Kubernetes application and I can't seem to find an example of this anywhere. I want to use Firebase authentication in my NodeJS backend. When running my application locally I was using the following

admin.initializeApp({
  credential: admin.credential.cert(SERVICE_ACCOUNT_KEY_PATH),
});

My initial thought was to create a secret from a key file like

$ gcloud container clusters get-credentials my-cluster --zone us-central1-c --project my-project
$ kubectl create secret generic service-account-key \
    --from-file=${SERVICE_ACCOUNT_KEY_PATH}

However, since I am creating a secret there is not a path for me to set my SERVICE_ACCOUNT_KEY_PATH to when running my application in a Kubernetes container. What is the correct method for doing this in Kubernetes?

Answer 1

you can save the serviceaccount file inside the secret and mount the secret into the deployment volume.

so the secret will be accessible to deployment's volume and your pod can access it.

for example:

apiVersion: v1
kind: Deployment
metadata:
  name: mypod
spec:
  containers:
  - name: mypod
    image: nginx
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
      readOnly: true
  volumes:
  - name: foo
    secret:
      secretName: mysecret

you can check out the:

https://kubernetes.io/docs/concepts/configuration/secret/#use-case-pod-with-ssh-keys

another example: https://kubernetes.io/docs/concepts/configuration/secret/#use-case-dotfiles-in-a-secret-volume

so basic idea is to mount the secret into the volume of the deployment and it will be used by the code.