如何通过 helm 模板使用 kubernetes 密封的秘密
[英]How to use kubernetes sealed secrets with helm templates
问题描述
I just came across the sealed secrets tool https://github.com/bitnami-labs/sealed-secrets for encrypting secrets in kubernetes with added benefits of being able to commit those to git
我刚刚遇到了密封的秘密工具https://github.com/bitnami-labs/sealed-secrets用于加密 kubernetes 中的秘密,并且能够将这些秘密提交给 git
I am a bit disappointed that such a great tool did not address helm templates by default or as part of the official documentation.我有点失望,这么好的工具在默认情况下或作为官方文档的一部分没有解决 helm 模板。 I mean for a tool like that, i am not sure if the developers thought of the different ways people use secrets in which helm charts is a great way where we use values template files for different environment.我的意思是对于这样的工具,我不确定开发人员是否考虑过人们使用秘密的不同方式,其中 helm 图表是我们为不同环境使用值模板文件的好方法。
Anyways here is my setup无论如何,这是我的设置
secrets.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: demo-app
type: Opaque
data:
ENV1: "{{ .Values.ENV1 | b64enc }}"
ENV2: "{{ .Values.ENV2 | b64enc }}"
ENV3: "{{ .Values.ENV3 | b64enc }}"
here are the values template files for DEV and PROD for example例如,这里是 DEV 和 PROD 的值模板文件
values-dev.yaml
demo-app:
name: demo-app
replicaCount: 1
image:
repository: example/demo-app
tag: latest
pullPolicy: Always
# secrets
ENV1: 'dev_4rlmerl4om3o'
ENV2: 'dev_eom4om4odl4o'
ENV3: 'dev_38hdineoij4oj3onod4ncen3eiixnknnkejnslrmnomntrcoenkc'
values-prod.yaml
demo-app:
name: demo-app
replicaCount: 1
image:
repository: example/demo-app
tag: 1.0.0
pullPolicy: Always
# secrets
ENV1: 'prod_4rlmerl4om3o'
ENV2: 'prod_eom4om4odl4o'
ENV3: 'prod_38hdineoij4oj3onod4ncen3eiixnknnkejnslrmnomntrcoenkc'
Here is how i deploy the application这是我部署应用程序的方式
DEV
helm upgrade --install demo-app-dev --namespace team1 -f values-dev.yaml .
PROD
helm upgrade --install demo-app-prod --namespace team1 -f values-prod.yaml .
I am trying to use sealed secrets with this scenario but not able to figure out how to without changing my whole structure completely.我试图在这种情况下使用密封的秘密,但无法弄清楚如何在不完全改变我的整个结构的情况下使用。
2 个解决方案
解决方案1
0 2022-01-19 03:28:05
you can generate the values_{ENV}.yaml dynamically rather you maintain it and you can delete after the deployments.您可以动态生成 values_{ENV}.yaml,而不是维护它,并且可以在部署后删除。 So next CICD/build will generate for different apps the same所以下一个 CICD/build 将为不同的应用程序生成相同的
解决方案2
0 2022-01-19 04:27:07
If you want to use sealed secret with helm, you need to update the helm chart and create one new YAML template如果你想在 helm 中使用密封的秘密,你需要更新 helm 图表并创建一个新的YAML模板
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: mysecret
namespace: mynamespace
spec:
encryptedData:
foo: "{{ .Values.ENV1 }}"
so the template will create the sealed secret from values.yaml and K8s secret will get auto-created as mentioned in the documentation of the sealed secrets.因此模板将从values.yaml创建密封的秘密,并且 K8s 的秘密将自动创建,如密封秘密的文档中所述。
For a different environment, you can generate the values_{ENV}.yaml file.对于不同的环境,您可以生成values_{ENV}.yaml文件。 use it as you are doing now with values-dev.yaml and values-prod.yaml像现在一样使用values-dev.yaml和values-prod.yaml
https://github.com/bitnami-labs/sealed-secrets#overview https://github.com/bitnami-labs/sealed-secrets#overview
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.