kubernetes
secret 으로 값 전달
misankim
2023. 3. 9. 22:31
secret 으로 값 전달
# secret 을 파드에 파일로 사용
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
---
apiVersion: v1
kind: Pod
metadata:
name: secret-volume-pod
spec:
containers:
- name: mycontainer
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
readOnly: true
volumes:
- name: foo
secret:
secretName: mysecret## 확인
➜ [test123] kubectl exec -it secret-volume-pod -- ls -al /etc/foo
total 4
drwxrwxrwt 3 root root 120 May 23 08:38 .
drwxr-xr-x 1 root root 4096 May 23 08:38 ..
drwxr-xr-x 2 root root 80 May 23 08:38 ..2022_05_23_08_38_45.645443838
lrwxrwxrwx 1 root root 31 May 23 08:38 ..data -> ..2022_05_23_08_38_45.645443838
lrwxrwxrwx 1 root root 15 May 23 08:38 password -> ..data/password
lrwxrwxrwx 1 root root 15 May 23 08:38 username -> ..data/username➜ [test123] kubectl exec -it secret-volume-pod -- cat /etc/foo/username
admin%➜ [test123] kubectl exec -it secret-volume-pod -- cat /etc/foo/password
1f2d1e2e67df%# secret 을 파드에 파일로 사용(특정 하위 경로로 지정)
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
---
apiVersion: v1
kind: Pod
metadata:
name: secret-volume-pod-path
spec:
containers:
- name: mycontainer
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
readOnly: true
volumes:
- name: foo
secret:
secretName: mysecret
items:
- key: username
path: my-group/my-username## 확인
➜ [test123] kubectl exec -it secret-volume-pod-path -- ls -al /etc/foo/my-group/my-username
-rw-r--r-- 1 root root 5 May 23 08:38 /etc/foo/my-group/my-username➜ [test123] kubectl exec -it secret-volume-pod-path -- cat /etc/foo/my-group/my-username
admin%# secret 을 파드에 파일로 사용(특정 경로로 파일 위치까지 정확히 지정)
apiVersion: argoproj.io/v1alpha1
kind: Rollout
metadata:
name: api
spec:
...
spec:
terminationGracePeriodSeconds: 30
serviceAccount: api
containers:
- name: api
image: asia-northeast3-docker.pkg.dev/my-project-id/my-workload/api:1.0
imagePullPolicy: Always
...
env:
- name: "env"
value: "test"
volumeMounts:
- name: conf
mountPath: /app/app/common/accounts.json
subPath: accounts.json
readOnly: true
...
volumes:
- name: conf
secret:
secretName: secret-api
items:
- key: accounts
path: accounts.json# secret 을 파드에 환경변수로 사용
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
---
apiVersion: v1
kind: Pod
metadata:
name: secret-env-pod
spec:
containers:
- name: mycontainer
image: redis
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password혹은 envFrom.secretRef 사용하여 설정
env:
- name: "DEBUG"
value: "False"
envFrom:
- secretRef:
name: secret-mgmt
volumeMounts:
- mountPath: "/var/secrets"
name: secret-vol## 확인
➜ [test123] kubectl exec -it secret-env-pod -- sh -c 'echo $SECRET_USERNAME'
admin➜ [test123] kubectl exec -it secret-env-pod -- sh -c 'echo $SECRET_PASSWORD'
1f2d1e2e67df