无法使用Google Cloud Kubernetes替代品

时间:2019-10-25 10:05:41

标签: docker kubernetes google-cloud-platform google-kubernetes-engine

很显然,我做错了事情,但是我不明白问题出在哪里。我是Kubernetes的新手。

有一个Node.js应用程序,我可以将其包装到Docker并部署到Google Compute引擎(它与Git触发器一起使用,并在本地使用)。这里最重要的是-有env变量,其中一些是秘密的,使用密钥加密。 Google也使用它来解密值,并在构建过程中将其提供给应用程序(所有操作均基于Google文档完成)。现在,我尝试更改cloudbuild.yaml文件以获取Kubernetes配置。

cloudbuild.yaml (从Docker切换到Kubernetes后,部分设置可能是多余的)。在cloudbuild.yaml中没有下面标记的部分,我得到以下错误:

  

合并替换并验证内部版本时出错:验证错误   内部版本:替换数据中的键“ _DB_HOST”与   模板;替换数据中的键“ _STATIC_SECRET”不匹配   在模板中;替换数据中的键“ _TYPEORM_DATABASE”为   模板中不匹配;关键字“ _TYPEORM_PASSWORD”   模板中的替代数据不匹配;密钥   替换数据中的“ _TYPEORM_USERNAME”与   模板   引用

这是正确的,因为Google将未使用的替换视为错误。但是,如果我离开标记的部分,则会出现此错误:

  

合并替换并验证内部版本时出错:验证错误   build:无效的.secrets字段:secret 0定义无secretEnvs

这对我来说完全不清楚。

cloudbuild文件:

steps:
  - name: 'gcr.io/cloud-builders/docker'
    entrypoint: 'bash'
    args: [
      '-c',
      'docker pull gcr.io/$PROJECT_ID/myproject:latest || exit 0'
    ]
  - name: 'gcr.io/cloud-builders/docker'
    args: [
      'build',
      '-t',
      'gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA',
      '-t',
      'gcr.io/$PROJECT_ID/myproject:latest',
# <<<<<------- START OF DESCRIBED SECTION
      'DB_HOST=${_DB_HOST}',
      'TYPEORM_DATABASE=${_TYPEORM_DATABASE}',
      'TYPEORM_PASSWORD=${_TYPEORM_PASSWORD}',
      'TYPEORM_USERNAME=${_TYPEORM_USERNAME}',
      'STATIC_SECRET=${_STATIC_SECRET}',
# <<<<<------- END OF DESCRIBED SECTION
      '.'
    ]
  - name: 'gcr.io/cloud-builders/kubectl'
    args: [ 'apply', '-f', '/' ]
    env:
      - 'CLOUDSDK_COMPUTE_ZONE=<region>'
      - 'CLOUDSDK_CONTAINER_CLUSTER=myproject'
  - name: 'gcr.io/cloud-builders/kubectl'
    args: [
      'set',
      'image',
      'deployment',
      'myproject',
      'myproject=gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA'
    ]
    env:
      - 'CLOUDSDK_COMPUTE_ZONE=<region>'
      - 'CLOUDSDK_CONTAINER_CLUSTER=myproject'
      - 'DB_PORT=5432'
      - 'DB_SCHEMA=public'
      - 'TYPEORM_CONNECTION=postgres'
      - 'FE=myproject'
      - 'V=1'
      - 'CLEAR_DB=true'
      - 'BUCKET_NAME=myproject'
      - 'BUCKET_TYPE=google'
      - 'KMS_KEY_NAME=storagekey'
    secretEnv:
      - DB_HOST,
      - TYPEORM_DATABASE,
      - TYPEORM_PASSWORD,
      - TYPEORM_USERNAME,
      - STATIC_SECRET
timeout: 1600s
substitutions:
  _DB_HOST: $DB_HOST
  _TYPEORM_DATABASE: $TYPEORM_DATABASE
  _TYPEORM_PASSWORD: $TYPEORM_PASSWORD
  _TYPEORM_USERNAME: $TYPEORM_USERNAME
  _STATIC_SECRET: $STATIC_SECRET
secrets:
  - kmsKeyName: projects/myproject/locations/global/keyRings/storage/cryptoKeys/storagekey
  - secretEnv:
      DB_HOST: <encrypted base64 here>
      TYPEORM_DATABASE: <encrypted base64 here>
      TYPEORM_PASSWORD: <encrypted base64 here>
      TYPEORM_USERNAME: <encrypted base64 here>
      STATIC_SECRET: <encrypted base64 here>
images:
  - 'gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA'
  - 'gcr.io/$PROJECT_ID/myproject:latest'

secret.yaml 文件(应在kubectl中注册):

apiVersion: v1
kind: Secret
metadata:
  name: myproject
type: Opaque
data:
  DB_HOST: <encrypted base64 here>
  TYPEORM_DATABASE: <encrypted base64 here>
  TYPEORM_PASSWORD: <encrypted base64 here>
  TYPEORM_USERNAME: <encrypted base64 here>
  STATIC_SECRET: <encrypted base64 here>

pod.yaml 文件

apiVersion: v1
kind: Pod
metadata:
  name: myproject
spec:
  containers:
    - name: myproject
      image: gcr.io/myproject/myproject:latest
      # project ID is valid here, don't bother on mock values
      env:
        - name: DB_HOST
          valueFrom:
            secretKeyRef:
              name: myproject
              key: DB_HOST
        - name: TYPEORM_DATABASE
          valueFrom:
            secretKeyRef:
              name: myproject
              key: TYPEORM_DATABASE
        - name: TYPEORM_PASSWORD
          valueFrom:
            secretKeyRef:
              name: myproject
              key: TYPEORM_PASSWORD
        - name: TYPEORM_USERNAME
          valueFrom:
            secretKeyRef:
              name: myproject
              key: TYPEORM_USERNAME
        - name: STATIC_SECRET
          valueFrom:
            secretKeyRef:
              name: myproject
              key: STATIC_SECRET
    restartPolicy: Never

1 个答案:

答案 0 :(得分:2)

我认为,您混合了太多东西,您的旧版本和新版本。如果您的机密已经设置好,那么在构建时就不需要它们了。

尝试此操作,只需部署所需的步骤(无替代,无秘密,无KMS)

steps:
  - name: 'gcr.io/cloud-builders/docker'
    entrypoint: 'bash'
    args: [
      '-c',
      'docker pull gcr.io/$PROJECT_ID/myproject:latest || exit 0'
    ]
  - name: 'gcr.io/cloud-builders/docker'
    args: [
      'build',
      '-t',
      'gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA',
      '-t',
      'gcr.io/$PROJECT_ID/myproject:latest',
      '.'
    ]
  - name: 'gcr.io/cloud-builders/kubectl'
    args: [ 'apply', '-f', '/' ]
    env:
      - 'CLOUDSDK_COMPUTE_ZONE=<region>'
      - 'CLOUDSDK_CONTAINER_CLUSTER=myproject'
  - name: 'gcr.io/cloud-builders/kubectl'
    args: [
      'set',
      'image',
      'deployment',
      'myproject',
      'myproject=gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA'
    ]
    env:
      - 'CLOUDSDK_COMPUTE_ZONE=<region>'
      - 'CLOUDSDK_CONTAINER_CLUSTER=myproject'
      - 'DB_PORT=5432'
      - 'DB_SCHEMA=public'
      - 'TYPEORM_CONNECTION=postgres'
      - 'FE=myproject'
      - 'V=1'
      - 'CLEAR_DB=true'
      - 'BUCKET_NAME=myproject'
      - 'BUCKET_TYPE=google'
      - 'KMS_KEY_NAME=storagekey'
timeout: 1600s
images:
  - 'gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA'
  - 'gcr.io/$PROJECT_ID/myproject:latest