MySQL Docker Image：使用 K8S Secret 的 env 變量初始化

Question

當我嘗試使用 Root 密碼的 env 變量（MYSQL_ROOT_PASSWORD，docker-entrypoint.sh 中使用的變量）使用 K8S 進行部署時，例如

 kind: Deployment

#omitted...

 spec:
      containers:

  #omitted...

        env:
          - name: MYSQL_ROOT_PASSWORD
            value: my-secret-passw

似乎使用kubectl apply -k的部署正在運行。 當然，這種不安全的部署。 MySql 初始化工作正常，一切都按預期進行。 所以我試圖創建一個secret並從那個secret檢索價值，這樣

kind: Deployment

#omitted...

 spec:
      containers:

  #omitted...

        env:
          - name: MYSQL_ROOT_PASSWORD
            valueFrom:
              secretKeyRef:
                key: MYSQL_ROOT_PASSWORD
                name: mysql-root-password

mysql 初始化不起作用。 我不知道到底出了什么問題。 容器中的kubectl logs或標准輸出如下（請記住，使用字面根傳遞不會返回這樣的結果）：

[MY-011323] [Server] X Plugin ready for connections. Socket: '/var/run/mysqld/mysqlx.sock'
Warning: Unable to load '/usr/share/zoneinfo/iso3166.tab' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/leap-seconds.list' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/zone.tab' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/zone1970.tab' as time zone. Skipping it.
[Note] [Entrypoint]: /usr/local/bin/docker-entrypoint.sh: running /docker-entrypoint-initdb.d/sql-script.sql
mysql: [ERROR] unknown option '-- "'. 

檢查 docker 圖像源代碼時，似乎沒有關於“未知選項”的字符串（請參閱此處的 github ，我使用的是 mysql 8.0。它似乎來自 mysql 本身。

那么為什么在 k8S env 變量上使用文字值（這不安全！）工作但不能從secret讀取？

Answer 1

似乎8.0版已損壞或丟失了某些東西，因為它看不到密碼。 我不是這個領域的專家，所以也許其他人可以添加更多細節。

2020-02-07T16:09:06.648827Z 0 [Warning] [MY-011070] [Server] 'Disabling symbolic links using --skip-symbolic-links (or equivalent) is the default. Consider not using this option as it' is deprecated and will be removed in a future release.
2020-02-07T16:09:06.649084Z 0 [System] [MY-013169] [Server] /usr/sbin/mysqld (mysqld 8.0.19) initializing of server in progress as process 44
2020-02-07T16:09:10.821145Z 5 [Warning] [MY-010453] [Server] root@localhost is created with an empty password ! Please consider switching off the --initialize-insecure option.
2020-02-07 16:09:14+00:00 [Note] [Entrypoint]: Database files initialized
2020-02-07 16:09:14+00:00 [Note] [Entrypoint]: Starting temporary server
2020-02-07T16:09:14.823453Z 0 [Warning] [MY-011070] [Server] 'Disabling symbolic links using --skip-symbolic-links (or equivalent) is the default. Consider not using this option as it' is deprecated and will be removed in a future release.
2020-02-07T16:09:14.823582Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.19) starting as process 94
2020-02-07T16:09:15.631008Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
2020-02-07T16:09:15.635649Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
2020-02-07T16:09:15.655790Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.19'  socket: '/var/run/mysqld/mysqld.sock'  port: 0  MySQL Community Server - GPL.
2020-02-07 16:09:15+00:00 [Note] [Entrypoint]: Temporary server started.
2020-02-07T16:09:15.740600Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Socket: '/var/run/mysqld/mysqlx.sock'
Warning: Unable to load '/usr/share/zoneinfo/iso3166.tab' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/leap-seconds.list' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/zone.tab' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/zone1970.tab' as time zone. Skipping it.

2020-02-07 16:09:19+00:00 [Note] [Entrypoint]: Stopping temporary server
2020-02-07T16:09:19.476870Z 10 [System] [MY-013172] [Server] Received SHUTDOWN from user root. Shutting down mysqld (Version: 8.0.19).

我已經測試了來自官方 mysql 存儲庫的圖像5.6 ，它似乎工作得很好。

我已經使用我推薦的 kubernetes.io 上的教程運行了整個MySQL + WordPress 部署。

我已經手動創建了秘密，使用： kubectl create secret generic mysql-pass --from-literal=password=test

看起來在 Amazon Linux AMI (works with 5.7) #628 上有一個類似於“無法啟動服務器”的問題。

Answer 2

過了一段時間，我意識到問題不在於K8S的秘密。 我不小心把我的密碼改成了沒有特殊字符的字符串，然后就解決了！ 從帖子中，您可以看到字符 -- 被讀取為下一個過程的輸入（該死，我正在放棄我的通行證！不，已經更改了）。 因此，任何有同樣問題（使用 mysql）的人，請考慮選擇一個沒有特殊字符密碼的秘密。 數字/區分大小寫組合的長密碼可能足夠強大，尤其是如果你用紙和鉛筆！