[英]Can't use Google Cloud Kubernetes substitutions
顯然,我做錯了事,但我不明白問題出在哪里。 我是 Kubernetes 的新手。
有 Node.js 應用程序,我可以將它包裝到 Docker 並部署到 Google Compute 引擎(它與 Git 觸發器和本地一起使用)。 這里最重要的是 - 有環境變量,其中一些是秘密的,用密鑰加密。 Google 也使用它來解密值並在構建過程中將它們提供給應用程序(一切都基於 Google 文檔完成)。 現在我正在嘗試更改cloudbuild.yaml
文件以獲取 Kubernetes 配置。
cloudbuild.yaml (從 Docker 切換到 Kubernetes 后,部分設置可能是多余的)。 cloudbuild.yaml
下面沒有標記部分我收到以下錯誤:
合並替換和驗證構建時出錯:驗證構建時出錯:替換數據中的鍵“_DB_HOST”在模板中不匹配;替換數據中的鍵“_STATIC_SECRET”在模板中不匹配;替換數據中的鍵“_TYPEORM_DATABASE”是模板中不匹配;替換數據中的鍵“_TYPEORM_PASSWORD”在模板中不匹配;替換數據中的鍵“_TYPEORM_USERNAME”在模板中不匹配 Blockquote
這是正確的,因為 Google 將未使用的替換視為錯誤。 但是,如果我離開標記部分,我會收到此錯誤:
合並替換和驗證構建時出錯:驗證構建時出錯:invalid.secrets 字段:secret 0 沒有定義 secretEnvs
這對我來說完全不清楚。
雲構建文件:
steps:
- name: 'gcr.io/cloud-builders/docker'
entrypoint: 'bash'
args: [
'-c',
'docker pull gcr.io/$PROJECT_ID/myproject:latest || exit 0'
]
- name: 'gcr.io/cloud-builders/docker'
args: [
'build',
'-t',
'gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA',
'-t',
'gcr.io/$PROJECT_ID/myproject:latest',
# <<<<<------- START OF DESCRIBED SECTION
'DB_HOST=${_DB_HOST}',
'TYPEORM_DATABASE=${_TYPEORM_DATABASE}',
'TYPEORM_PASSWORD=${_TYPEORM_PASSWORD}',
'TYPEORM_USERNAME=${_TYPEORM_USERNAME}',
'STATIC_SECRET=${_STATIC_SECRET}',
# <<<<<------- END OF DESCRIBED SECTION
'.'
]
- name: 'gcr.io/cloud-builders/kubectl'
args: [ 'apply', '-f', '/' ]
env:
- 'CLOUDSDK_COMPUTE_ZONE=<region>'
- 'CLOUDSDK_CONTAINER_CLUSTER=myproject'
- name: 'gcr.io/cloud-builders/kubectl'
args: [
'set',
'image',
'deployment',
'myproject',
'myproject=gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA'
]
env:
- 'CLOUDSDK_COMPUTE_ZONE=<region>'
- 'CLOUDSDK_CONTAINER_CLUSTER=myproject'
- 'DB_PORT=5432'
- 'DB_SCHEMA=public'
- 'TYPEORM_CONNECTION=postgres'
- 'FE=myproject'
- 'V=1'
- 'CLEAR_DB=true'
- 'BUCKET_NAME=myproject'
- 'BUCKET_TYPE=google'
- 'KMS_KEY_NAME=storagekey'
secretEnv:
- DB_HOST,
- TYPEORM_DATABASE,
- TYPEORM_PASSWORD,
- TYPEORM_USERNAME,
- STATIC_SECRET
timeout: 1600s
substitutions:
_DB_HOST: $DB_HOST
_TYPEORM_DATABASE: $TYPEORM_DATABASE
_TYPEORM_PASSWORD: $TYPEORM_PASSWORD
_TYPEORM_USERNAME: $TYPEORM_USERNAME
_STATIC_SECRET: $STATIC_SECRET
secrets:
- kmsKeyName: projects/myproject/locations/global/keyRings/storage/cryptoKeys/storagekey
- secretEnv:
DB_HOST: <encrypted base64 here>
TYPEORM_DATABASE: <encrypted base64 here>
TYPEORM_PASSWORD: <encrypted base64 here>
TYPEORM_USERNAME: <encrypted base64 here>
STATIC_SECRET: <encrypted base64 here>
images:
- 'gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA'
- 'gcr.io/$PROJECT_ID/myproject:latest'
secret.yaml文件(應該在 kubectl 中注冊):
apiVersion: v1
kind: Secret
metadata:
name: myproject
type: Opaque
data:
DB_HOST: <encrypted base64 here>
TYPEORM_DATABASE: <encrypted base64 here>
TYPEORM_PASSWORD: <encrypted base64 here>
TYPEORM_USERNAME: <encrypted base64 here>
STATIC_SECRET: <encrypted base64 here>
pod.yaml文件
apiVersion: v1
kind: Pod
metadata:
name: myproject
spec:
containers:
- name: myproject
image: gcr.io/myproject/myproject:latest
# project ID is valid here, don't bother on mock values
env:
- name: DB_HOST
valueFrom:
secretKeyRef:
name: myproject
key: DB_HOST
- name: TYPEORM_DATABASE
valueFrom:
secretKeyRef:
name: myproject
key: TYPEORM_DATABASE
- name: TYPEORM_PASSWORD
valueFrom:
secretKeyRef:
name: myproject
key: TYPEORM_PASSWORD
- name: TYPEORM_USERNAME
valueFrom:
secretKeyRef:
name: myproject
key: TYPEORM_USERNAME
- name: STATIC_SECRET
valueFrom:
secretKeyRef:
name: myproject
key: STATIC_SECRET
restartPolicy: Never
我認為,你混合了太多東西,你的舊版本和你的新版本。 如果您的機密已在集群中設置,則在構建時不需要它們。
試試這個,只需要部署所需的步驟(無替換、無秘密、無 KMS)
steps:
- name: 'gcr.io/cloud-builders/docker'
entrypoint: 'bash'
args: [
'-c',
'docker pull gcr.io/$PROJECT_ID/myproject:latest || exit 0'
]
- name: 'gcr.io/cloud-builders/docker'
args: [
'build',
'-t',
'gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA',
'-t',
'gcr.io/$PROJECT_ID/myproject:latest',
'.'
]
- name: 'gcr.io/cloud-builders/kubectl'
args: [ 'apply', '-f', '/' ]
env:
- 'CLOUDSDK_COMPUTE_ZONE=<region>'
- 'CLOUDSDK_CONTAINER_CLUSTER=myproject'
- name: 'gcr.io/cloud-builders/kubectl'
args: [
'set',
'image',
'deployment',
'myproject',
'myproject=gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA'
]
env:
- 'CLOUDSDK_COMPUTE_ZONE=<region>'
- 'CLOUDSDK_CONTAINER_CLUSTER=myproject'
- 'DB_PORT=5432'
- 'DB_SCHEMA=public'
- 'TYPEORM_CONNECTION=postgres'
- 'FE=myproject'
- 'V=1'
- 'CLEAR_DB=true'
- 'BUCKET_NAME=myproject'
- 'BUCKET_TYPE=google'
- 'KMS_KEY_NAME=storagekey'
timeout: 1600s
images:
- 'gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA'
- 'gcr.io/$PROJECT_ID/myproject:latest
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.