Kubernetes-如何在不重新启动Pod的情况下动态刷新机密

时间:2020-09-04 18:13:23

标签: nginx kubernetes hashicorp-vault pod

我有一个安装了Vault的kubernetes集群(通过头盔图)。

我想将金库中的秘密填充到Pod中的文件中(例如nginx),并每5分钟刷新一次秘密。

我使用以下配置对其进行了测试(带有适当的保管库策略/后端身份验证):

namespace.yaml 

apiVersion: v1
kind: Namespace
metadata:
  name: web

Service_account.yaml 

apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx
  namespace: web
secrets:
- name: nginx

nginx-deployment.yaml 

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
  namespace: web
  labels:
    app: nginx
    run: nginx
    version: vault-injector
spec:
  replicas: 1
  selector:
    matchLabels:
      run: nginx
      version: vault-injector
  template:
    metadata:
      labels:
        app: nginx
        run: nginx
        version: vault-injector
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "nginx"
        #vault.hashicorp.com/agent-inject-status: "update"
        vault.hashicorp.com/agent-inject-secret-nginx.pass: "infrastructure/nginx/"
    spec:
      serviceAccountName: nginx
      containers:
        - name: nginx
          image: nginx
          ports:
            - name: http
              containerPort: 80

当我将此配置应用于我的kubernetes集群时,将创建部署并将我的秘密填充到/vault/secret/nginx.pass(按预期)。

kubectl exec -it pod/nginx-69955d8744-v9jm2 -n web -- cat /vault/secrets/nginx.pass
Password1: MySecretPassword1
Password2: MySecretPassword2

我试图更新kv并在nginx kv上添加密码,但是我的Pod无法刷新/vault/secrets/nginx.pass上的文件。如果我重新启动,我的秘密就会充满

是否可以动态刷新kv?最好的方法是什么?我想将Vault用作配置管理器,并且能够在不重新启动Pod的情况下修改kv。

1 个答案:

答案 0 :(得分:2)

您可以通过指定TTL值在kv机密上定义TTL。例如:

 vault kv put infrastructure/nginx ttl=1m Password1=PasswordUpdated1 Password2=PasswordUpdated2

将每分钟使您的基础架构/ nginx机密失效。 Vault Sidecar将自动检查新值并将文件刷新到您的广告连播中。

root@LAP-INFO-28:/mnt/c/Users/cmonsieux/Desktop/IAC/kubernetes/yaml/simplePod# k logs nginx-69955d8744-mwhmf vault-agent -n web
    renewal process
    2020-09-06T07:16:42.867Z [INFO]  sink.file: token written: path=/home/vault/.vault-token
    2020-09-06T07:16:42.867Z [INFO]  template.server: template server received new token
    2020/09/06 07:16:42.867793 [INFO] (runner) stopping
    2020/09/06 07:16:42.867869 [INFO] (runner) creating new runner (dry: false, once: false)
    2020/09/06 07:16:42.868051 [INFO] (runner) creating watcher
    2020/09/06 07:16:42.868101 [INFO] (runner) starting
    2020-09-06T07:16:42.900Z [INFO]  auth.handler: renewed auth token
    2020/09/06 07:18:26.268835 [INFO] (runner) rendered "(dynamic)" => "/vault/secrets/nginx.pass"
    2020/09/06 07:19:18.810479 [INFO] (runner) rendered "(dynamic)" => "/vault/secrets/nginx.pass"
    2020/09/06 07:24:41.189868 [INFO] (runner) rendered "(dynamic)" => "/vault/secrets/nginx.pass"
    2020/09/06 07:25:36.095547 [INFO] (runner) rendered "(dynamic)" => "/vault/secrets/nginx.pass"
    2020/09/06 07:29:11.479051 [INFO] (runner) rendered "(dynamic)" => "/vault/secrets/nginx.pass"
    2020/09/06 07:31:00.715215 [INFO] (runner) rendered "(dynamic)" => "/vault/secrets/nginx.pass"
root@LAP-INFO-28:/mnt/c/Users/cmonsieux/Desktop/IAC/kubernetes/yaml/simplePod# k exec -it pod/nginx-69955d8744-mwhmf -n web -- cat /vault/secrets/nginx.pass
Password1: PasswordUpdated1
Password2: PasswordUpdated2
ttl: 1m
相关问题
最新问题