很显然,我做错了事情,但是我不明白问题出在哪里。我是Kubernetes的新手。
有一个Node.js应用程序,我可以将其包装到Docker并部署到Google Compute引擎(它与Git触发器一起使用,并在本地使用)。这里最重要的是-有env变量,其中一些是秘密的,使用密钥加密。 Google也使用它来解密值,并在构建过程中将其提供给应用程序(所有操作均基于Google文档完成)。现在,我尝试更改cloudbuild.yaml
文件以获取Kubernetes配置。
cloudbuild.yaml (从Docker切换到Kubernetes后,部分设置可能是多余的)。在cloudbuild.yaml
中没有下面标记的部分,我得到以下错误:
合并替换并验证内部版本时出错:验证错误 内部版本:替换数据中的键“ _DB_HOST”与 模板;替换数据中的键“ _STATIC_SECRET”不匹配 在模板中;替换数据中的键“ _TYPEORM_DATABASE”为 模板中不匹配;关键字“ _TYPEORM_PASSWORD” 模板中的替代数据不匹配;密钥 替换数据中的“ _TYPEORM_USERNAME”与 模板 引用
这是正确的,因为Google将未使用的替换视为错误。但是,如果我离开标记的部分,则会出现此错误:
合并替换并验证内部版本时出错:验证错误 build:无效的.secrets字段:secret 0定义无secretEnvs
这对我来说完全不清楚。
cloudbuild文件:
steps:
- name: 'gcr.io/cloud-builders/docker'
entrypoint: 'bash'
args: [
'-c',
'docker pull gcr.io/$PROJECT_ID/myproject:latest || exit 0'
]
- name: 'gcr.io/cloud-builders/docker'
args: [
'build',
'-t',
'gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA',
'-t',
'gcr.io/$PROJECT_ID/myproject:latest',
# <<<<<------- START OF DESCRIBED SECTION
'DB_HOST=${_DB_HOST}',
'TYPEORM_DATABASE=${_TYPEORM_DATABASE}',
'TYPEORM_PASSWORD=${_TYPEORM_PASSWORD}',
'TYPEORM_USERNAME=${_TYPEORM_USERNAME}',
'STATIC_SECRET=${_STATIC_SECRET}',
# <<<<<------- END OF DESCRIBED SECTION
'.'
]
- name: 'gcr.io/cloud-builders/kubectl'
args: [ 'apply', '-f', '/' ]
env:
- 'CLOUDSDK_COMPUTE_ZONE=<region>'
- 'CLOUDSDK_CONTAINER_CLUSTER=myproject'
- name: 'gcr.io/cloud-builders/kubectl'
args: [
'set',
'image',
'deployment',
'myproject',
'myproject=gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA'
]
env:
- 'CLOUDSDK_COMPUTE_ZONE=<region>'
- 'CLOUDSDK_CONTAINER_CLUSTER=myproject'
- 'DB_PORT=5432'
- 'DB_SCHEMA=public'
- 'TYPEORM_CONNECTION=postgres'
- 'FE=myproject'
- 'V=1'
- 'CLEAR_DB=true'
- 'BUCKET_NAME=myproject'
- 'BUCKET_TYPE=google'
- 'KMS_KEY_NAME=storagekey'
secretEnv:
- DB_HOST,
- TYPEORM_DATABASE,
- TYPEORM_PASSWORD,
- TYPEORM_USERNAME,
- STATIC_SECRET
timeout: 1600s
substitutions:
_DB_HOST: $DB_HOST
_TYPEORM_DATABASE: $TYPEORM_DATABASE
_TYPEORM_PASSWORD: $TYPEORM_PASSWORD
_TYPEORM_USERNAME: $TYPEORM_USERNAME
_STATIC_SECRET: $STATIC_SECRET
secrets:
- kmsKeyName: projects/myproject/locations/global/keyRings/storage/cryptoKeys/storagekey
- secretEnv:
DB_HOST: <encrypted base64 here>
TYPEORM_DATABASE: <encrypted base64 here>
TYPEORM_PASSWORD: <encrypted base64 here>
TYPEORM_USERNAME: <encrypted base64 here>
STATIC_SECRET: <encrypted base64 here>
images:
- 'gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA'
- 'gcr.io/$PROJECT_ID/myproject:latest'
secret.yaml 文件(应在kubectl中注册):
apiVersion: v1
kind: Secret
metadata:
name: myproject
type: Opaque
data:
DB_HOST: <encrypted base64 here>
TYPEORM_DATABASE: <encrypted base64 here>
TYPEORM_PASSWORD: <encrypted base64 here>
TYPEORM_USERNAME: <encrypted base64 here>
STATIC_SECRET: <encrypted base64 here>
pod.yaml 文件
apiVersion: v1
kind: Pod
metadata:
name: myproject
spec:
containers:
- name: myproject
image: gcr.io/myproject/myproject:latest
# project ID is valid here, don't bother on mock values
env:
- name: DB_HOST
valueFrom:
secretKeyRef:
name: myproject
key: DB_HOST
- name: TYPEORM_DATABASE
valueFrom:
secretKeyRef:
name: myproject
key: TYPEORM_DATABASE
- name: TYPEORM_PASSWORD
valueFrom:
secretKeyRef:
name: myproject
key: TYPEORM_PASSWORD
- name: TYPEORM_USERNAME
valueFrom:
secretKeyRef:
name: myproject
key: TYPEORM_USERNAME
- name: STATIC_SECRET
valueFrom:
secretKeyRef:
name: myproject
key: STATIC_SECRET
restartPolicy: Never
答案 0 :(得分:2)
我认为,您混合了太多东西,您的旧版本和新版本。如果您的机密已经设置好,那么在构建时就不需要它们了。
尝试此操作,只需部署所需的步骤(无替代,无秘密,无KMS)
steps:
- name: 'gcr.io/cloud-builders/docker'
entrypoint: 'bash'
args: [
'-c',
'docker pull gcr.io/$PROJECT_ID/myproject:latest || exit 0'
]
- name: 'gcr.io/cloud-builders/docker'
args: [
'build',
'-t',
'gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA',
'-t',
'gcr.io/$PROJECT_ID/myproject:latest',
'.'
]
- name: 'gcr.io/cloud-builders/kubectl'
args: [ 'apply', '-f', '/' ]
env:
- 'CLOUDSDK_COMPUTE_ZONE=<region>'
- 'CLOUDSDK_CONTAINER_CLUSTER=myproject'
- name: 'gcr.io/cloud-builders/kubectl'
args: [
'set',
'image',
'deployment',
'myproject',
'myproject=gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA'
]
env:
- 'CLOUDSDK_COMPUTE_ZONE=<region>'
- 'CLOUDSDK_CONTAINER_CLUSTER=myproject'
- 'DB_PORT=5432'
- 'DB_SCHEMA=public'
- 'TYPEORM_CONNECTION=postgres'
- 'FE=myproject'
- 'V=1'
- 'CLEAR_DB=true'
- 'BUCKET_NAME=myproject'
- 'BUCKET_TYPE=google'
- 'KMS_KEY_NAME=storagekey'
timeout: 1600s
images:
- 'gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA'
- 'gcr.io/$PROJECT_ID/myproject:latest