kubernetes

secret 으로 값 전달

misankim 2023. 3. 9. 22:31

secret 으로 값 전달





# secret 을 파드에 파일로 사용

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm
---
apiVersion: v1
kind: Pod
metadata:
  name: secret-volume-pod
spec:
  containers:
  - name: mycontainer
    image: redis
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
      readOnly: true
  volumes:
  - name: foo
    secret:
      secretName: mysecret


## 확인

➜  [test123] kubectl exec -it secret-volume-pod -- ls -al /etc/foo
total 4
drwxrwxrwt 3 root root  120 May 23 08:38 .
drwxr-xr-x 1 root root 4096 May 23 08:38 ..
drwxr-xr-x 2 root root   80 May 23 08:38 ..2022_05_23_08_38_45.645443838
lrwxrwxrwx 1 root root   31 May 23 08:38 ..data -> ..2022_05_23_08_38_45.645443838
lrwxrwxrwx 1 root root   15 May 23 08:38 password -> ..data/password
lrwxrwxrwx 1 root root   15 May 23 08:38 username -> ..data/username

➜  [test123] kubectl exec -it secret-volume-pod -- cat /etc/foo/username
admin%
➜  [test123] kubectl exec -it secret-volume-pod -- cat /etc/foo/password
1f2d1e2e67df%
 
# secret 을 파드에 파일로 사용(특정 하위 경로로 지정)

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm
---
apiVersion: v1
kind: Pod
metadata:
  name: secret-volume-pod-path
spec:
  containers:
  - name: mycontainer
    image: redis
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
      readOnly: true
  volumes:
  - name: foo
    secret:
      secretName: mysecret
      items:
      - key: username
        path: my-group/my-username

## 확인

➜  [test123] kubectl exec -it secret-volume-pod-path -- ls -al /etc/foo/my-group/my-username
-rw-r--r-- 1 root root 5 May 23 08:38 /etc/foo/my-group/my-username
 
➜  [test123] kubectl exec -it secret-volume-pod-path -- cat /etc/foo/my-group/my-username
admin%


# secret 을 파드에 파일로 사용(특정 경로로 파일 위치까지 정확히 지정)

apiVersion: argoproj.io/v1alpha1
kind: Rollout
metadata:
  name: api
spec:
...
    spec:
      terminationGracePeriodSeconds: 30
      serviceAccount: api
      containers:
      - name: api
        image: asia-northeast3-docker.pkg.dev/my-project-id/my-workload/api:1.0
        imagePullPolicy: Always
...
        env:
          - name: "env"
            value: "test"
        volumeMounts:
        - name: conf
          mountPath: /app/app/common/accounts.json
          subPath: accounts.json
          readOnly: true
...
      volumes:
      - name: conf
        secret:
          secretName: secret-api
          items:
          - key: accounts
            path: accounts.json


# secret 을 파드에 환경변수로 사용

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm
---
apiVersion: v1
kind: Pod
metadata:
  name: secret-env-pod
spec:
  containers:
  - name: mycontainer
    image: redis
    env:
      - name: SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: username
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: password

혹은 envFrom.secretRef 사용하여 설정

        env:
          - name: "DEBUG"
            value: "False"
        envFrom:
        - secretRef:
            name: secret-mgmt
        volumeMounts:
        - mountPath: "/var/secrets"
          name: secret-vol


## 확인

➜  [test123] kubectl exec -it secret-env-pod -- sh -c 'echo $SECRET_USERNAME'
admin
➜  [test123] kubectl exec -it secret-env-pod -- sh -c 'echo $SECRET_PASSWORD'
1f2d1e2e67df