使用单个卷从机密或configmap挂载多个文件

时间:2020-01-22 08:06:27

标签: kubernetes kubernetes-secrets

我使用一个秘密来存储多个数据项,如下所示:

apiVersion: v1
kind: Secret
metadata:
  name: my-certs
  namespace: my-namespace
data:
  keystore.p12: LMNOPQRSTUV
  truststore.p12: ABCDEFGHIJK

在我的Deployment中,将它们装入如下文件:

volumeMounts:
- mountPath: /app/truststore.p12
    name: truststore-secret
    subPath: truststore.p12
- mountPath: /app/keystore.p12
    name: keystore-secret
    subPath: keystore.p12
volumes:
- name: truststore-secret
secret:
    items:
    - key: truststore.p12
    path: truststore.p12
    secretName: my-certs
- name: keystore-secret
secret:
    items:
    - key: keystore.p12
    path: keystore.p12
    secretName: my-certs

这可以按预期工作,但是我想知道是否可以通过将Yaml较少的文件装入这两个秘密而获得相同的结果?例如,volumes使用items,但我不知道如何将一个卷与多个items一起使用并将它们装入。

1 个答案:

答案 0 :(得分:1)

是的,您可以使用Projected Volume来减少yaml。

当前,可以投影secretconfigMapdownwardAPIserviceAccountToken的卷。

TL; DR在您的Deployment中使用此结构: 

spec:
  containers:
  - name: {YOUR_CONTAINER_NAME}
    volumeMounts:
    - name: multiple-secrets-volume
      mountPath: "/app"
      readOnly: true
  volumes:
  - name: multiple-secrets-volume
    projected:
      sources:
      - secret:
          name: my-certs

这是您案件的完整复制品,首先我注册了您的my-certs秘密:

user@minikube:~/secrets$ kubectl get secret my-certs -o yaml
apiVersion: v1
data:
  keystore.p12: TE1OT1BRUlNUVVY=
  truststore.p12: QUJDREVGR0hJSks=
kind: Secret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"keystore.p12":"TE1OT1BRUlNUVVY=","truststore.p12":"QUJDREVGR0hJSks="},"kind":"Secret","metadata":{"annotations":{},"name":"my-certs","namespace":"default"}}
  creationTimestamp: "2020-01-22T10:43:51Z"
  name: my-certs
  namespace: default
  resourceVersion: "2759005"
  selfLink: /api/v1/namespaces/default/secrets/my-certs
  uid: d785045c-2931-434e-b6e1-7e090fdd6ff4

然后创建一个pod来测试对secret的访问,这是projected.yaml

user@minikube:~/secrets$ cat projected.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: test-projected-volume
spec:
  containers:
  - name: test-projected-volume
    image: busybox
    args:
    - sleep
    - "86400"
    volumeMounts:
    - name: multiple-secrets-volume
      mountPath: "/app"
      readOnly: true
  volumes:
  - name: multiple-secrets-volume
    projected:
      sources:
      - secret:
          name: my-certs

user@minikube:~/secrets$ kubectl apply -f projected.yaml 
pod/test-projected-volume created

然后测试了对密钥的访问:

user@minikube:~/secrets$ kubectl exec -it test-projected-volume -- /bin/sh
/ # ls
app   bin   dev   etc   home  proc  root  sys   tmp   usr   var
/ # cd app
/app # ls
keystore.p12    truststore.p12
/app # cat keystore.p12 
LMNOPQRSTUV/app # 
/app # cat truststore.p12 
ABCDEFGHIJK/app # 
/app # exit

您可以根据需要选择使用带有多个数据行的单个secret,也可以在以下模型中使用部署基础中的许多机密信息:

    volumeMounts:
    - name: all-in-one
      mountPath: "/projected-volume"
      readOnly: true
  volumes:
  - name: all-in-one
    projected:
      sources:
      - secret:
          name: SECRET_1
      - secret:
          name: SECRET_2
相关问题
最新问题