我有Jenkins作业,该作业使用K8s节点内的两个容器来调用POD。 我有自定义的python脚本,该脚本可从远程系统获取临时机密,并使用此机密在名称空间中创建机密。
def create_secret(body):
v1.create_namespaced_secret(namespace='default',
body=body
)
此生成机密的容器是InitContainer。 创建秘密后,InitContainer被销毁并启动我的应用程序容器。 由于我的机密是暂时的,而这就是詹金斯·乔布斯,因此我想使用“詹金斯·乔布斯”之类的名字制作临时机密,例如“詹金斯-奴隶-blablabla”的秘密名称。 之后,我想将这个秘密公开给我在pod内的应用容器:
containers:
- name: "jnlp"
env:
- name: HOSTNAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: "TOKEN"
valueFrom:
secretKeyRef:
name: "$(HOSTNAME)"
key: "TOKEN"
但是当我在Jenkins内的Kubernetes插件中将下一个字符串放入POD模板时,我的Jenkins作业没有开始。
- name: "TOKEN"
valueFrom:
secretKeyRef:
name: "$(HOSTNAME)"
key: "TOKEN"
主要问题是Jenkins的工作和Jenkins的Kubernetes插件,这家伙无法启动POD,因为无法将envs传递给模板,我尝试了$ HOSTNAME,$(HOSTNAME),$ {HOSTNAME},还有很多其他变化,但乔布没有工作。 Jenkins Job HOSTNAME的每一次启动都是新的。机密名称必须每次都是新的。我不能使用静态名称作为机密。
我有Kubernetes插件的模板: Yaml合并策略:合并
apiVersion: v1
kind: Pod
spec:
securityContext:
fsGroup: 65534
initContainers:
- name: "cred-prepare"
image: XXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/kubesdk:latest
volumeMounts:
- name: "secret-volume"
mountPath: "script.py"
subPath: "script.py"
command:
- "/bin/sh"
- "-c"
- |
python3 script.py # Creating secret with name=HOSTNAME
containers:
- name: "jnlp"
env:
- name: HOSTNAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: "TOKEN"
valueFrom:
secretKeyRef:
name: "$(HOSTNAME)"
key: "TOKEN"
volumes:
- name: "secret-volume"
secret:
secretName: "secrets"
items:
- key: "script.py"
path: "script.py"
如果可以从InitContainer直接向应用容器发送秘密变量,请告诉我。 谢谢。
我从org.csanchez.jenkins.plugins.kubernetes获得了额外的日志
Error in provisioning; agent=KubernetesSlave name: k8s-slave-dispute-81rzs, template=PodTemplate{inheritFrom='', name='k8s-slave-dispute', namespace='default', hostNetwork=false, instanceCap=10, label='k8s-slave-dispute', serviceAccount='jenkins-slave', nodeSelector='', nodeUsageMode=EXCLUSIVE, workspaceVolume=EmptyDirWorkspaceVolume [memory=false], containers=[ContainerTemplate{name='jnlp', image='123123123123123.dkr.ecr.us-east-1.amazonaws.com/jnlp2:latest', workingDir='/home/jenkins/agent', command='', args='', ttyEnabled=true, resourceRequestCpu='', resourceRequestMemory='', resourceLimitCpu='', resourceLimitMemory='', livenessProbe=org.csanchez.jenkins.plugins.kubernetes.ContainerLivenessProbe@2cb36d87}]}
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://12312312312312312312312.gr7.us-east-1.eks.amazonaws.com/api/v1/namespaces/default/pods. Message: Pod "k8s-slave-dispute-81rzs" is invalid: spec.containers[0].env[3].valueFrom.secretKeyRef.name: Invalid value: "$(JENKINS_NAME)": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'). Received status: Status(apiVersion=v1, code=422, details=StatusDetails(causes=[StatusCause(field=spec.containers[0].env[3].valueFrom.secretKeyRef.name, message=Invalid value: "$(JENKINS_NAME)": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'), reason=FieldValueInvalid, additionalProperties={})], group=null, kind=Pod, name=k8s-slave-dispute-81rzs, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=Pod "k8s-slave-dispute-81rzs" is invalid: spec.containers[0].env[3].valueFrom.secretKeyRef.name: Invalid value: "$(JENKINS_NAME)": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'), metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=Invalid, status=Failure, additionalProperties={}).
Kubernetes插件无法将ENV传递到Pod模板。
Invalid value: "$(JENKINS_NAME)": a DNS-1123 subdomain must consist of lower case alphanumeric characters
Env JENKINS_NAME代表POD主机名。