个人中心
gpt4 book ai didi

kubernetes - 如何在 envconsul 配置文件中传递环境变量?

转载 作者:行者123 更新时间:2023-12-02 11:39:25 25 4
gpt4 key购买 nike

我在 envconsul documentation 中读到这个:

For additional security, tokens may also be read from the environment using the CONSUL_TOKEN or VAULT_TOKEN environment variables respectively. It is highly recommended that you do not put your tokens in plain-text in a configuration file.

所以,我有这个 envconsul.hcl 文件:

# the settings to connect to vault server
# "http://10.0.2.2:8200" is the Vault's address on the host machine when using Minikube
vault {
  address = "${env(VAULT_ADDR)}"
  renew_token = false
  retry {
    backoff = "1s"
  }
  token = "${env(VAULT_TOKEN)}"
}
# the settings to find the endpoint of the secrets engine
secret {
    no_prefix = true
    path = "secret/app/config"
}

但是,我得到这个错误:

[WARN] (view) vault.read(secret/app/config): vault.read(secret/app/config): Get $%7Benv%28VAULT_ADDR%29%7D/v1/secret/app/config: unsupported protocol scheme "" (retry attempt 1 after "1s")

据我了解,它不能进行变量替换。
我尝试设置 "http://10.0.2.2:8200" 并且有效。

VAULT_TOKEN 变量也是如此。
如果我对 VAULT_ADDR 进行硬编码,则会出现此错误:

[WARN] (view) vault.read(secret/app/config): vault.read(secret/app/config): Error making API request.

URL: GET http://10.0.2.2:8200/v1/secret/app/config
Code: 403. Errors:

* permission denied (retry attempt 2 after "2s")

这个文件有没有办法理解环境变量?

编辑 1这是我的 pod.yml 文件

---
apiVersion: v1
kind: Pod
metadata:
  name: sample
spec:
  serviceAccountName: vault-auth

  restartPolicy: Never

  # Add the ConfigMap as a volume to the Pod
  volumes:
    - name: vault-token
      emptyDir:
        medium: Memory
    # Populate the volume with config map data
    - name: config
      configMap:
        # `name` here must match the name 
        # specified in the ConfigMap's YAML
        # -> kubectl create configmap vault-cm --from-file=./vault-configs/
        name: vault-cm
        items:
          - key : vault-agent-config.hcl
            path: vault-agent-config.hcl
          - key : envconsul.hcl
            path: envconsul.hcl

  initContainers:
    # Vault container
    - name: vault-agent-auth
      image: vault

      volumeMounts:
        - name: vault-token
          mountPath: /home/vault
        - name: config
          mountPath: /etc/vault

      # This assumes Vault running on local host and K8s running in Minikube using VirtualBox
      env:
        - name: VAULT_ADDR
          value: http://10.0.2.2:8200

      # Run the Vault agent
      args:
        [
          "agent",
          "-config=/etc/vault/vault-agent-config.hcl",
          "-log-level=debug",
        ]

  containers:
    - name: python
      image: myappimg
      imagePullPolicy: Never
      ports:
        - containerPort: 5000
      volumeMounts:
        - name: vault-token
          mountPath: /home/vault
        - name: config
          mountPath: /etc/envconsul
      env:
        - name: HOME
          value: /home/vault
        - name: VAULT_ADDR
          value: http://10.0.2.2:8200

最佳答案

我。在容器规范中设置环境变量(双引号中的值):

env:
  - name: VAULT_TOKEN
    value: "abcd1234"
  - name: VAULT_ADDR
    value: "http://10.0.2.2:8200"

然后引用envconsul.hcl中的值

vault {
  address = ${VAULT_ADDR}
  renew_token = false
  retry {
    backoff = "1s"
  }
  token = ${VAULT_TOKEN}
}

二。另一种选择是解封保管库集群(使用初始化保管库集群时打印的解封 key )

$ vault operator unseal

然后使用根 token 向保管库集群进行身份验证。 

$ vault login <your-generated-root-token>

更多details

关于kubernetes - 如何在 envconsul 配置文件中传递环境变量?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57178398/

25 4 0
文章推荐: kubernetes - 将YAML转换为JSON时出错:yaml:第16行:在此上下文中不允许映射值
文章推荐: kubernetes - 访问 Prometheus 的 etcd 指标
文章推荐: kubernetes - 无效值 : "The edited file failed validation": ValidationError(Service. 规范): unknown field "nodePort" in io. k8s.api.core.v1.ServiceSpec
文章推荐: Kubernetes coredns 就绪探测失败
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com