[英]How to securely store JWT secrets/private keys on a NODEjs application?
[英]How to use kubernetes secrets in nodejs application?
我在gcp上有一个kubernetes 集群,运行我的express和node.js应用程序,使用MongoDB
操作CRUD
操作。
我创建了一个秘密,包含username
和password
,连接到mongoDB
指定的秘密作为我的kubernetes
yml
文件中的environment
。 现在我的问题是“如何在用于连接 mongoDB 的节点 js 应用程序中访问该用户名和密码”。
我在Node.JS
应用程序中尝试了process.env.SECRET_USERNAME
和process.env.SECRET_PASSWORD
,它抛出undefined
。
任何想法将不胜感激。
隐藏文件
apiVersion: v1
data:
password: pppppppppppp==
username: uuuuuuuuuuuu==
kind: Secret
metadata:
creationTimestamp: 2018-07-11T11:43:25Z
name: test-mongodb-secret
namespace: default
resourceVersion: "00999"
selfLink: /api-path-to/secrets/test-mongodb-secret
uid: 0900909-9090saiaa00-9dasd0aisa-as0a0s-
type: Opaque
kubernetes.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
annotations:deployment.kubernetes.io/
revision: "4"
creationTimestamp: 2018-07-11T11:09:45Z
generation: 5
labels:
name: test
name: test
namespace: default
resourceVersion: "90909"
selfLink: /api-path-to/default/deployments/test
uid: htff50d-8gfhfa-11egfg-9gf1-42010gffgh0002a
spec:
replicas: 1
selector:
matchLabels:
name: test
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
name: test
spec:
containers:
- env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
key: username
name: test-mongodb-secret
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: test-mongodb-secret
image: gcr-image/env-test_node:latest
imagePullPolicy: Always
name: env-test-node
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
status:
availableReplicas: 1
conditions:
- lastTransitionTime: 2018-07-11T11:10:18Z
lastUpdateTime: 2018-07-11T11:10:18Z
message: Deployment has minimum availability.
reason: MinimumReplicasAvailable
status: "True"
type: Available
observedGeneration: 5
readyReplicas: 1
replicas: 1
updatedReplicas: 1
您的kubernetes.yaml
文件指定了存储您的机密的环境变量,以便该命名空间中的应用程序可以访问它。
使用kubectl secrets cli 界面,您可以上传您的秘密。
kubectl create secret generic -n node-app test-mongodb-secret --from-literal=username=a-username --from-literal=password=a-secret-password
(命名空间 arg -n node-app
是可选的,否则它将上传到默认命名空间)
运行此命令后,您可以检查您的 kube 仪表板以查看机密已保存
然后从您的节点应用程序访问环境变量process.env.SECRET_PASSWORD
也许在您的情况下,秘密是在错误的命名空间中创建的,因此为什么在您的应用程序中undefined
。
编辑 1
您对container.env
缩进似乎是错误的
apiVersion: v1
kind: Pod
metadata:
name: secret-env-pod
spec:
containers:
- name: mycontainer
image: redis
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
restartPolicy: Never
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.