Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
248 views
in Technique[技术] by (71.8m points)

Understanding sourcing secrets in kubernetes spring boot app

I am following this guide to consume secrets: https://docs.spring.io/spring-cloud-kubernetes/docs/current/reference/html/index.html#secrets-propertysource.

It says roughly.

  1. save secrets

  2. reference secrets in deployment.yml file

       containers:
     - env:
        - name: DB_USERNAME
          valueFrom:
             secretKeyRef:
               name: db-secret
               key: username
        - name: DB_PASSWORD
          valueFrom:
             secretKeyRef:
               name: db-secret
               key: password
    
  3. Then it says "You can select the Secrets to consume in a number of ways:" and gives 3 examples. However without doing any of these steps I can still see the secrets in my env perfectly. Futhermore the operations in step 1 and step 2 operate independently of spring boot(save and move secrets into environment variables)

My questions:

  1. If I make the changes suggested in step 3 what changes/improvements does it make for my container/app/pod?
  2. Is there no way to be able to avoid all the mapping in step 1 and put all secrets in an env?
  3. they write -Dspring.cloud.kubernetes.secrets.paths=/etc/secrets to source all secrets, how is it they knew secrets were in a folder called /etc/
question from:https://stackoverflow.com/questions/65891854/understanding-sourcing-secrets-in-kubernetes-spring-boot-app

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

You can mount all env variables from secret in the following way:

      containers:
        - name: app
          envFrom:
          - secretRef:
              name: db-secret

As for where Spring gets secrets from - I'm not an expert in Spring but it seems there is already an explanation in the link you provided:

When enabled, the Fabric8SecretsPropertySource looks up Kubernetes for Secrets from the following sources:

Reading recursively from secrets mounts

Named after the application (as defined by spring.application.name)

Matching some labels

So it takes secrets from secrets mount (if you mount them as volumes). It also scans Kubernetes API for secrets (i guess in the same namespaces the app is running in). It can do it by utilizing Kubernetes serviceaccount token which by default is always mounted into the pod. It is up to what Kubernetes RBAC permissions are given to pod's serviceaccount.

So it tries to search secrets using Kubernetes API and match them against application name or application labels.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...