英文:
is it possible to not override Docker Entrypoint while passing COMMAND in k8s pod defination
问题
以下是您要翻译的部分:
"Trying to export vault secrets as an environment variable to k8s pod using vault injector. Following vault documentation https://developer.hashicorp.com/vault/docs/platform/k8s/injector/examples#environment-variable-example
as mention in example, you need to source config file inside a container and it will override ENTRYPOINT script/command that you are passing in dockerfile.
containers:
- name: web
image: alpine:latest
command:
['sh', '-c']
args:
['source /vault/secrets/config && <entrypoint script>']
in my setup, I don't have a static entry point script that I can put here in args. docker file has its own command/script running as entrypoint script.
Trying to find if there is any alternative to source this vault config inside a container that allow me to not change anything in entrypoint script in dockerfile. not sure if k8s is providing any way to do this with post-hook or something. that runs entrypoint mentioned in dockerfile first and then execute other scripts/command passed in post-hook."
英文:
Trying to export vault secrets as an environment variable to k8s pod using vault injector. Following vault documentation https://developer.hashicorp.com/vault/docs/platform/k8s/injector/examples#environment-variable-example
as mention in example, you need to source config file inside a container and it will override ENTRYPOINT script/command that you are passing in dockerfile.
containers:
- name: web
image: alpine:latest
command:
['sh', '-c']
args:
['source /vault/secrets/config && <entrypoint script>']
in my setup, I don't have a static entry point script that I can put here in args. docker file has its own command/script running as entrypoint script.
Trying to find if there is any alternative to source this vault config inside a container that allow me to not change anything in entrypoint script in dockerfile. not sure if k8s is providing any way to do this with post-hook or something. that runs entrypoint mentioned in dockerfile first and then execute other scripts/command passed in post-hook.
答案1
得分: 2
你可以使用 Vault Secrets Operator 将 Vault 中的秘密同步到 Kubernetes Secret 资源。
完成后,你可以使用 envFrom 或 vaultFrom 指令在你的部署清单中将这些秘密暴露为环境变量,如文档所述。
这种方法不需要覆盖容器的入口点或参数。
看起来 Vault Secrets Operator 相对较新,文档似乎有点匮乏。你可以使用 External Secrets Operator 来实现类似的功能,它还支持各种秘密存储后端,这是一个额外的优势。
英文:
You can use the Vault Secrets Operator to synchronize secrets from Vault to Kubernetes Secret resources.
Once you've done that, you can then expose those secrets as environment variables using envFrom or vaultFrom directives in your deployment manifests, as described in the documentation.
This method does not require overriding the entrypoint or arguments of your containers.
It looks like Vault Secrets Operator is relatively new and the documentation seems a bit slim. You can achieve similar functionality using the External Secrets Operator, which has the added advantage that it supports a variety of secret store backends.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论