我有一个使用SQL代理连接到Postgres的elixir应用程序
这是我部署在kubernetes上的deployment.yaml,运作良好,
图像中的PostgreSQL连接密码和用户名来自yaml中的环境变量
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: my-app
namespace: production
spec:
replicas: 1
revisionHistoryLimit: 1
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: my-app
tier: backend
spec:
securityContext:
runAsUser: 0
runAsNonRoot: false
containers:
- name: my-app
image: my-image:1.0.1
volumeMounts:
- name: secrets-volume
mountPath: /secrets
readOnly: true
- name: config-volume
mountPath: /beamconfig
ports:
- containerPort: 80
args:
- foreground
env:
- name: POSTGRES_HOSTNAME
value: localhost
- name: POSTGRES_USERNAME
value: postgres
- name: POSTGRES_PASSWORD
value: 123456
# proxy_container
- name: cloudsql-proxy
image: gcr.io/cloudsql-docker/gce-proxy:1.11
command: ["/cloud_sql_proxy", "--dir=/cloudsql",
"-instances=my-project:region:my-postgres-instance=tcp:5432",
"-credential_file=/secrets/cloudsql/credentials.json"]
volumeMounts:
- name: cloudsql-instance-credentials
mountPath: /secrets/cloudsql
readOnly: true
- name: cloudsql
mountPath: /cloudsql
# volumes
volumes:
- name: secrets-volume
secret:
secretName: gcloud-json
- name: cloudsql-instance-credentials
secret:
secretName: cloudsql-instance-credentials
- name: cloudsql
emptyDir:
现在由于安全要求,我想对敏感环境进行加密,并使用脚本对其进行解密
我的yaml文件如下所示:
env:
- name: POSTGRES_HOSTNAME
value: localhost
- name: ENCRYPTED_POSTGRES_USERNAME
value: hgkdhrkhgrk
- name: ENCRYPTED_POSTGRES_PASSWORD
value: fkjeshfke
然后我有一个脚本,它将在所有带有前缀ENCRYPTED_的环境中运行,将对其解密并在没有ENCRYPTED_前缀的环境变量下插入dycrpted值
有没有办法做到这一点?
应该在映像开始运行之前注入环境变量
另一个要求是运行映像的Pod会解密变量-因为它是唯一有权执行此操作的变量(使用工作负载标识)
像这样:
- command:
- sh
- /decrypt_and_inject_environments.sh