如何在 Terraform 中自动添加 kube.netes 客户端密码作为文件挂载?
[英]How can I automatically add a kubernetes client secret as a file mount in Terraform?
问题描述
I am setting up External-DNS with Terraform. Per the documentation , I have to manually create an azure.json file and mount it as a secret volume.
我正在使用 Terraform 设置外部 DNS。 根据文档,我必须手动创建一个azure.json文件并将其挂载为秘密卷。 The directions also state:方向也是state:
The Azure DNS provider expects, by default, that the configuration file is at /etc/kube.netes/azure.json
{
"tenantId": "01234abc-de56-ff78-abc1-234567890def",
"subscriptionId": "01234abc-de56-ff78-abc1-234567890def",
"resourceGroup": "MyDnsResourceGroup",
"aadClientId": "01234abc-de56-ff78-abc1-234567890def",
"aadClientSecret": "uKiuXeiwui4jo9quae9o"
}
I then run kubectl create secret generic azure-config-file --from-file=/local/path/to/azure.json to mount the secret as a file.然后,我运行kubectl create secret generic azure-config-file --from-file=/local/path/to/azure.json以将密钥挂载为文件。
The problem is that those values are dynamic, and I need to do this automatically per a CI/CD pipeline.问题是这些值是动态的,我需要根据 CI/CD 管道自动执行此操作。 I'm using Terraform Kube.netes resources, and here I've used the kube.netes_secret resource.我正在使用 Terraform Kube.netes 资源,在这里我使用了kube.netes_secret资源。
resource "kubernetes_secret" "azure_config_file" {
metadata {
name = "azure-config-file"
}
data = {
tenantId = data.azurerm_subscription.current.tenant_id
subscriptionId = data.azurerm_subscription.current.subscription_id
resourceGroup = azurerm_resource_group.k8s.name
aadClientId = azuread_application.sp_externaldns_connect_to_dns_zone.application_id
aadClientSecret = azuread_application_password.sp_externaldns_connect_to_dns_zone.value
}
depends_on = [
kubernetes_namespace.external_dns,
]
}
The secret gets mounted, but the pod never sees it and it results in a crashLoopBackoff.秘密被挂载,但 pod 永远看不到它,这会导致 crashLoopBackoff。 This may not be the best direction.这可能不是最好的方向。
How do I automate this process with Terraform and get it mounted correctly?如何使用 Terraform 自动执行此过程并正确安装它?
For reference, this is the related section of the YAML manifest作为参考,这是 YAML 清单的相关部分
...
volumeMounts:
- name: azure-config-file
mountPath: /etc/kubernetes
readOnly: true
volumes:
- name: azure-config-file
secret:
secretName: azure-config-file
items:
- key: externaldns-config.json
path: azure.json
1 个解决方案
解决方案1
1 2022-03-28 18:24:42
This is the Terraform version of using the --from-file flag with kubectl.这是将 --from --from-file标志与 kubectl 一起使用的 Terraform 版本。
Basically, you'll add the name of the file and its contents per the structure of the data block below.基本上,您将按照下面data块的结构添加文件名及其内容。
resource "kubernetes_secret" "azure_config_file" {
metadata {
name = "azure-config-file"
}
data = { "azure.json" = jsonencode({
tenantId = data.azurerm_subscription.current.tenant_id
subscriptionId = data.azurerm_subscription.current.subscription_id
resourceGroup = data.azurerm_resource_group.rg.name
aadClientId = azuread_application.sp_externaldns_connect_to_dns_zone.application_id
aadClientSecret = azuread_application_password.sp_externaldns_connect_to_dns_zone.value
})
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.