我有一个spring应用,可将数据推送到Google Cloud Storage中。我生成了一个新的服务帐户json文件,并在Windows上的测试过程中使用了它。 Evrything效果很好。
然后我将我的应用泊坞窗并尝试在Kubernetes上进行部署。为了将dockerise应用程序与云存储连接,我使用服务帐户json文件创建了一个秘密
kubectl create secret generic cloud-storage-credentials \
--from-file=cloudstorage.json=cloud-storage-credentials.json
然后我在部署文件中安装云存储文件
apiVersion: apps/v1
kind: Deployment
metadata:
name: "{{ include "m-ebook.name" . }}-deployment"
labels:
app: {{ include "m-ebook.name" . }}
tier: backend
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: {{ include "m-ebook.name" . }}
tier: backend
template:
metadata:
labels:
app: {{ include "m-ebook.name" . }}
tier: backend
spec:
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
#Cloud storage
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/cloudstorage.json
#Cloud sql
- name: DB_HOST
value: 127.0.0.1:3306
# These secrets are required to start the pod.
# [START cloudsql_secrets]
# The db name is set directly in the back end propeties files
- name: DB_USER
valueFrom:
secretKeyRef:
name: cloudsql-db-credentials
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: cloudsql-db-credentials
key: password
#Rabbitmq cookie erlang (needed to connect to rabbitmq)
- name: RABBITMQ_ERLANG_COOKIE
valueFrom:
secretKeyRef:
name: rabbitmq
key: erlangCookie
# [END cloudsql_secrets]
# Change <INSTANCE_CONNECTION_NAME> here to include your GCP
# project, the region of your Cloud SQL instance and the name
# of your Cloud SQL instance. The format is
# $PROJECT:$REGION:$INSTANCE
# [START proxy_container]
- name: cloudsql-proxy
image: gcr.io/cloudsql-docker/gce-proxy:1.11
command: ["/cloud_sql_proxy",
"-instances=gara-261618:europe-west1:gara-postgresql-server=tcp:3306",
"-credential_file=/secrets/cloudsql/credentials.json"]
# [START cloudsql_security_context]
securityContext:
runAsUser: 2 # non-root user
allowPrivilegeEscalation: false
# [END cloudsql_security_context]
volumeMounts:
- name: cloudsql-instance-credentials
mountPath: /secrets/cloudsql
readOnly: true
- name: cloud-storage-credentials-volume
mountPath: /var/secrets/google
readOnly: true
# [END proxy_container]
ports:
- name: http
containerPort: {{ .Values.service.internalPort }}
protocol: TCP
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
imagePullSecrets:
- name: registry-gitlab-secrets
# [START volumes]
volumes:
- name: cloudsql-instance-credentials
secret:
secretName: cloudsql-instance-credentials
- name: cloud-storage-credentials-volume
secret: #The name of the secret as defined in create secret generic cloud-storage-credentials
secretName: cloud-storage-credentials
# [END volumes]
编辑秘密是由Google生成的文件,看起来像:
{
"type": "service_account",
"project_id": "myproject-261618",
"private_key_id": "3d1625a7428367cfb274251",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgk...Z7XSQik\nYWSPGLxNDlopi+DLDzzHvJtO\n-----END PRIVATE KEY-----\n",
"client_email": "[email protected]",
"client_id": "1023295593410734556",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/name%40nameofmyproject.iam.gserviceaccount.com"
}
我不是为什么,但是当我致电我的服务时,我从Google收到了401。请问我做错了什么?我进入容器,当我键入echo $GOOGLE_APPLICATION_CREDENTIALS时得到/var/secrets/google/cloudstorage.json,但是当我尝试输入cat /var/secrets/google/cloudstorage.json时,我得到了文件未找到异常。这正常吗?
提前感谢
默认情况下,“秘密”中的每个密钥都会在安装文件夹https://kubernetes.io/docs/concepts/configuration/secret/#consuming-secret-values-from-volumes中获得不同的文件
进行ls的/var/secrets/google以获取结构。
您还可以更改密码结构,以在单个文件中获得整个密码。