在Kubernetes Pod定义中传递命令时是否可以不覆盖Docker Entrypoint?

huangapple go评论61阅读模式
英文:

is it possible to not override Docker Entrypoint while passing COMMAND in k8s pod defination

问题

以下是您要翻译的部分:

"Trying to export vault secrets as an environment variable to k8s pod using vault injector. Following vault documentation https://developer.hashicorp.com/vault/docs/platform/k8s/injector/examples#environment-variable-example

as mention in example, you need to source config file inside a container and it will override ENTRYPOINT script/command that you are passing in dockerfile.

      containers:
        - name: web
          image: alpine:latest
          command:
            ['sh', '-c']
          args:
            ['source /vault/secrets/config && <entrypoint script>']

in my setup, I don't have a static entry point script that I can put here in args. docker file has its own command/script running as entrypoint script.

Trying to find if there is any alternative to source this vault config inside a container that allow me to not change anything in entrypoint script in dockerfile. not sure if k8s is providing any way to do this with post-hook or something. that runs entrypoint mentioned in dockerfile first and then execute other scripts/command passed in post-hook."

英文:

Trying to export vault secrets as an environment variable to k8s pod using vault injector. Following vault documentation https://developer.hashicorp.com/vault/docs/platform/k8s/injector/examples#environment-variable-example

as mention in example, you need to source config file inside a container and it will override ENTRYPOINT script/command that you are passing in dockerfile.

      containers:
        - name: web
          image: alpine:latest
          command:
            ['sh', '-c']
          args:
            ['source /vault/secrets/config && <entrypoint script>']

in my setup, I don't have a static entry point script that I can put here in args. docker file has its own command/script running as entrypoint script.

Trying to find if there is any alternative to source this vault config inside a container that allow me to not change anything in entrypoint script in dockerfile. not sure if k8s is providing any way to do this with post-hook or something. that runs entrypoint mentioned in dockerfile first and then execute other scripts/command passed in post-hook.

答案1

得分: 2

你可以使用 Vault Secrets Operator 将 Vault 中的秘密同步到 Kubernetes Secret 资源。

完成后,你可以使用 envFromvaultFrom 指令在你的部署清单中将这些秘密暴露为环境变量,如文档所述

这种方法不需要覆盖容器的入口点或参数。

看起来 Vault Secrets Operator 相对较新,文档似乎有点匮乏。你可以使用 External Secrets Operator 来实现类似的功能,它还支持各种秘密存储后端,这是一个额外的优势。

英文:

You can use the Vault Secrets Operator to synchronize secrets from Vault to Kubernetes Secret resources.

Once you've done that, you can then expose those secrets as environment variables using envFrom or vaultFrom directives in your deployment manifests, as described in the documentation.

This method does not require overriding the entrypoint or arguments of your containers.


It looks like Vault Secrets Operator is relatively new and the documentation seems a bit slim. You can achieve similar functionality using the External Secrets Operator, which has the added advantage that it supports a variety of secret store backends.

huangapple
  • 本文由 发表于 2023年4月7日 01:16:16
  • 转载请务必保留本文链接:https://go.coder-hub.com/75952132.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定