Coup de Grace

K8s后日谈 使用secret将配置脱敏

需要的知识储备:

目前来讲我觉得配置中心属于过重的设施,在容器中运行的应用可以简化的多.


应用Yaml示例d

server:
  port: 8080

spring:
  application:
    name: tt-app
  http:
    encoding:
      enabled: true
      charset: UTF-8
  redis:
    host: 111.111.111.111
    port: 1111
    password: 1111
    timeout: 1800000
  data:
    mongodb:
      host: 111.111.111.111
      port: 1111
      database: ttdb
---
server:
  port: 8080

spring:
  profiles: prod
  redis:
    host: ${REDIS_HOST}
    port: ${REDIS_PORT}
    password: ${REDIS_PWD}
  data:
    mongodb:
      host: ${MONGO_HOST}
      port: ${MONGO_PORT}
      database: ${MONGO_DB}

在K8s中创建Secrets

按照最上面的文档制作base64编码的敏感数据

而后创建secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: yoursecret
  namespace: yourspace
type: Opaque
data:
  redisHost: MTExLjExMS4xMTEuMTEx
  redisPort: MTExMQ==
  redisPwd: MTExMQ==
  mongoHost: MTExLjExMS4xMTEuMTEx
  mongoPort: MTExMQ==
  mongoDb: dHRkYg==

而后create -f创建Secrets.


对接两者

更新RC文件

apiVersion: v1
kind: ReplicationController
metadata:
  name: tt-app
  namespace: yourspace
  labels:
    name: tt-app
spec:
  replicas: 3
  selector:
    name: tt-app
  template:
    metadata:
      labels:
        name: tt-app
    spec:
      containers:
      - name: tt-app
        image: registry.yourcompany.com/tt-app-image:0.0.4
        imagePullPolicy: Always
        ports:
        - containerPort: 8080
        resources:
          requests:
            cpu: 2
            memory: 8Gi
          limits:
            cpu: 3
            memory: 16Gi
        env:
          - name: SPRING_PROFILES_ACTIVE
            value: prod
          - name: REDIS_HOST
            valueFrom:
              secretKeyRef:
                name: yoursecret
                key: redisHost
          - name: REDIS_PORT
            valueFrom:
              secretKeyRef:
                name: yoursecret
                key: redisPort
          - name: REDIS_PWD
            valueFrom:
              secretKeyRef:
                name: yoursecret
                key: redisPwd
          - name: MONGO_HOST
            valueFrom:
              secretKeyRef:
                name: yoursecret
                key: mongoHost
          - name: MONGO_PORT
            valueFrom:
              secretKeyRef:
                name: yoursecret
                key: mongoPort
          - name: MONGO_DB
            valueFrom:
              secretKeyRef:
                name: yoursecret
                key: mongoDb

显而易见,在container中,查看环境变量也能直观的看到密文.

done.