stackoom
  简体   繁体   中英

Kubernetes about secrets and how to consume them in pods

 原文  2016-11-21 04:22:49       kubernetes/ google-kubernetes-engine/ kubectl

Question

I am using GCP Container Engine in my project and now I am facing some issue that I don't know if it can be solved via secrets.

One of my deployments is node.js app server, there I use some npm modules which require my GCP service account key (.json file) as an input.

The input is the path where this json file is located. Currently I managed to make it work by providing this file as part of my docker image and then in the code I put the path to this file and it works as expected. The problem is that I think that it is not a good solution because I want to decouple my nodejs image from the service account key because the service account key may be changed (eg dev,test,prod) and I will not be able to reuse my existing image (unless I will build and push it to a different registry).

So how could I upload this service account json file as secret and then consume it inside my pod? I saw it is possible to create secrets out of files but I don't know if it is possible to specify the path to the place where this json file is stored. If it is not possible with secrets (because maybe secrets are not saved in files...) so how (and if) it can be done?

2 answers

solution1
 1 ACCPTED  2016-11-22 14:07:34

You can make your json file a secret and consume in your pod. See the following link for secrets ( http://kube.netes.io/docs/user-guide/secrets/ ), but I'll summarize next:

First create a secret from your json file:

kubectl create secret generic nodejs-key --from-file=./key.json

Now that you've created the secret, you can consume in your pod (in this example as a volume):

{
 "apiVersion": "v1",
 "kind": "Pod",
  "metadata": {
    "name": "nodejs"
  },
  "spec": {
    "containers": [{
      "name": "nodejs",
      "image": "node",
      "volumeMounts": [{
        "name": "foo",
        "mountPath": "/etc/foo",
        "readOnly": true
      }]
    }],
    "volumes": [{
      "name": "foo",
      "secret": {
        "secretName": "nodejs-key"
      }
    }]
  }
}

So when your pod spins up the file will be dropped in the "file system" in /etc/foo/key.json

solution2
 0  2016-11-21 23:29:20

I think you deploy on GKE/GCE, you don't need the key and it's going to work fine.

I've only tested with Google Cloud Logging but it might be the same for other services as well.

Eg: i only need the below when deploying app on gke/gce

var loggingClient = logging({
    projectId: 'grape-spaceship-123'
});

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to manage Kubernetes secrets? How to set the startup order of pods of a kubernetes cluster? How to ensure every kubernetes node running 2 or more pods? How to list Pods based on Labels in kubernetes go-client Modified or Updated Timestamp in Kubernetes Secrets Kubernetes pods and shared memory and state kubernetes external secrets on GKE , Permission error Mounting AWS Secrets Manager on Kubernetes/Helm chart How do I get logs from all pods of a Kubernetes replication controller? in a google cloud Kubernetes cluster my pods sometimes all restart, how do I find the reason for the restart?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM