5

今のところ、静的ファイルを使用してアプリケーション ポッドをデプロイします。そのうちの 1 つはapp-secrets.yaml、アプリケーションをデプロイするためのすべてのシークレットを備えています。

---
apiVersion: v1
kind: Secret
metadata:
  name: app-secrets
type: Opaque
data:
  root: xxxxxx
  user1: xxxxxx
  user2: xxxxxx

しかし、これは安全でも便利でもありません (別のアプリ インスタンスが必要な場合は、人間が生成したパスワードを使用して別のファイルを作成する必要があります)。

アプリケーションの作成時にランダムなパスワードを生成しようとしていますが、それが可能かどうかわかりません。私はすでにトピックの秘密を調べましたが、特にsecretGenerator、これは私が理解しているように、直接欲しいものではありませんsecret/app-secrets-ssdsdfmfh4k.

4

4 に答える 4

2

You may want to use kubernetes-secret-generator. I've tested it and it's doing exactly what you need.

To accomplish it you have to have helm in your cluster and follow these instructions:

Clone repository

$ git clone https://github.com/mittwald/kubernetes-secret-generator

Create helm deployment

$ helm upgrade --install secret-generator ./deploy/chart

Now you to use it, you just have to

Add annotation secret-generator.v1.mittwald.de/autogenerate to any Kubernetes secret object .The value of the annotation can be a field name (or comma separated list of field names) within the secret; the SecretGeneratorController will pick up this annotation and add a field [or fields] (password in the example below) to the secret with a randomly generated string value. From here.

$ kubectl apply -f mysecret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
  annotations:
    secret-generator.v1.mittwald.de/autogenerate: password
data:
  username: UGxlYXNlQWNjZXB0Cg==

After applying this secret you can take a look at it to check if the passward was generated as expected: 

$ kubectl get secrets mysecret -o yaml
apiVersion: v1
data:
  password: dnVKTDBJZ0tFS1BacmtTMnBuc3d2YWs2YlZsZ0xPTUFKdStDa3dwUQ==
  username: UGxlYXNlQWNjZXB0Cg==
kind: Secret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"username":"UGxlYXNlQWNjZXB0Cg=="},"kind":"Secret","metadata":{"annotations":{"secret-generator.v1.mittwald.de/autogenerate":"password"},"name":"mysecret","namespace":"default"}}
    secret-generator.v1.mittwald.de/autogenerate: password
    secret-generator.v1.mittwald.de/autogenerate-generated-at: 2020-01-09 14:29:44.397648062
      +0000 UTC m=+664.011602557
    secret-generator.v1.mittwald.de/secure: "yes"
  creationTimestamp: "2020-01-09T14:29:44Z"
  name: mysecret
  namespace: default
  resourceVersion: "297425"
  selfLink: /api/v1/namespaces/default/secrets/mysecret
  uid: 7ae42d71-32ec-11ea-92b3-42010a800009
type: Opaque

As we can see, the password was generated and it's encrypted as you need.

于 2020-01-09T14:33:19.330 に答える