[英]How can I automatically add a kubernetes client secret as a file mount in Terraform?
I am setting up External-DNS with Terraform. Per the documentation , I have to manually create an azure.json
file and mount it as a secret volume.我正在使用 Terraform 设置外部 DNS。 根据文档,我必须手动创建一个azure.json
文件并将其挂载为秘密卷。 The directions also state:方向也是state:
The Azure DNS provider expects, by default, that the configuration file is at /etc/kube.netes/azure.json默认情况下,Azure DNS 提供程序期望配置文件位于 /etc/kube.netes/azure.json
{
"tenantId": "01234abc-de56-ff78-abc1-234567890def",
"subscriptionId": "01234abc-de56-ff78-abc1-234567890def",
"resourceGroup": "MyDnsResourceGroup",
"aadClientId": "01234abc-de56-ff78-abc1-234567890def",
"aadClientSecret": "uKiuXeiwui4jo9quae9o"
}
I then run kubectl create secret generic azure-config-file --from-file=/local/path/to/azure.json
to mount the secret as a file.然后,我运行kubectl create secret generic azure-config-file --from-file=/local/path/to/azure.json
以将密钥挂载为文件。
The problem is that those values are dynamic, and I need to do this automatically per a CI/CD pipeline.问题是这些值是动态的,我需要根据 CI/CD 管道自动执行此操作。 I'm using Terraform Kube.netes resources, and here I've used the kube.netes_secret
resource.我正在使用 Terraform Kube.netes 资源,在这里我使用了kube.netes_secret
资源。
resource "kubernetes_secret" "azure_config_file" {
metadata {
name = "azure-config-file"
}
data = {
tenantId = data.azurerm_subscription.current.tenant_id
subscriptionId = data.azurerm_subscription.current.subscription_id
resourceGroup = azurerm_resource_group.k8s.name
aadClientId = azuread_application.sp_externaldns_connect_to_dns_zone.application_id
aadClientSecret = azuread_application_password.sp_externaldns_connect_to_dns_zone.value
}
depends_on = [
kubernetes_namespace.external_dns,
]
}
The secret gets mounted, but the pod never sees it and it results in a crashLoopBackoff.秘密被挂载,但 pod 永远看不到它,这会导致 crashLoopBackoff。 This may not be the best direction.这可能不是最好的方向。
How do I automate this process with Terraform and get it mounted correctly?如何使用 Terraform 自动执行此过程并正确安装它?
For reference, this is the related section of the YAML manifest作为参考,这是 YAML 清单的相关部分
...
volumeMounts:
- name: azure-config-file
mountPath: /etc/kubernetes
readOnly: true
volumes:
- name: azure-config-file
secret:
secretName: azure-config-file
items:
- key: externaldns-config.json
path: azure.json
This is the Terraform version of using the --from-file
flag with kubectl.这是将 --from --from-file
标志与 kubectl 一起使用的 Terraform 版本。
Basically, you'll add the name of the file and its contents per the structure of the data
block below.基本上,您将按照下面data
块的结构添加文件名及其内容。
resource "kubernetes_secret" "azure_config_file" {
metadata {
name = "azure-config-file"
}
data = { "azure.json" = jsonencode({
tenantId = data.azurerm_subscription.current.tenant_id
subscriptionId = data.azurerm_subscription.current.subscription_id
resourceGroup = data.azurerm_resource_group.rg.name
aadClientId = azuread_application.sp_externaldns_connect_to_dns_zone.application_id
aadClientSecret = azuread_application_password.sp_externaldns_connect_to_dns_zone.value
})
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.