kubernetes - ansible pod中aks的登录自动化
问题描述
我有一个 ansible pod,其中包含用于管理我们的 k8s 集群的 playbook 和 python 脚本。我有这个 ansible 清单,还有我的图像 dockerfile:
apiVersion: v1
kind: Pod
metadata:
name: ansible
spec:
volumes:
- name: ansible-data
persistentVolumeClaim:
claimName: ansible-data
containers:
- name: ansible
image: foo.azurecr.io/foo:latest
command: [ "/bin/bash", "-c", "--" ]
args: [ "while true; do sleep 30; done;" ]
volumeMounts:
- mountPath: /scripts
name: ansible-data
restartPolicy: Never
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ansible-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
这是我用于 ansible 图像的 dockerfile
FROM ubuntu:16.04
RUN apt-get update && apt-get install -y --no-install-recommends \
python3.5 \
python3-pip \
python3-setuptools \
curl \
sudo \
nano \
&& \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
RUN pip3 install --upgrade pip
RUN pip3 install ansible
RUN pip3 install openshift
RUN pip3 install clickhouse-driver
RUN pip3 install jmespath
RUN ansible-galaxy collection install community.kubernetes
RUN curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl
RUN chmod +x ./kubectl
RUN sudo mv ./kubectl /usr/local/bin/kubectl
# Define working directory.
WORKDIR /
# Define default command.
CMD ["bash"]
我想让这个 pod 可以用于我们公司生态系统中的每个集群,所以当我想使用这个 pod 时,我必须登录 azure aks 并获取我的 aks 集群的上下文,这是我登录 ansible pod 后所做的
az login -u foo@company.com
password:
登录后我得到上下文:
az aks get-credentials --resource-group foo --name fooCluster
我想通过 configmap 提供 k8s 密码和上下文命令来自动执行这两个命令?
我应该在 pod manifest 级别还是图像 dockerfile 级别进行此操作?
我应该使用 init 还是 sidecar 容器来注入 secret 和 configmap 是否是 args/env 机制?
谢谢!
解决方案
这是我试图实现的答案
apiVersion: v1
kind: Pod
metadata:
name: ansible
spec:
volumes:
- name: ansible-data
persistentVolumeClaim:
claimName: ansible-data
containers:
- name: ansible
image: foo.azurecr.io/foo:latest
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: az-user-pass
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: az-user-pass
key: password
- name: SECRET_RESOURCEGROUP
valueFrom:
secretKeyRef:
name: az-resourcegroup-aksname
key: resourcegroup
- name: SECRET_AKSNAME
valueFrom:
secretKeyRef:
name: az-resourcegroup-aksname
key: aksname
command: [ "/bin/bash", "-c"]
args: [ "az login -u $SECRET_USERNAME -p $SECRET_PASSWORD; az aks get-credentials --resource-group $SECRET_RESOURCEGROUP --name $SECRET_AKSNAME; while true; do sleep 30; done;" ]
volumeMounts:
- mountPath: /scripts
name: ansible-data
restartPolicy: Never
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ansible-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
推荐阅读
- macos - 升级后无法启动 Android Studio
- python - 如何在 Pycharm 中使用 requests 模块?
- c# - 将两个 Int4 从一个字节读入两个单独的字节,反之亦然
- spring-boot - 在集成测试中注入存储库依赖项是不好的做法
- arduino - 在#define 内相乘会给出奇怪的值
- pytorch - 如何剥离预训练网络并使用 pytorch 闪电添加一些层?
- microsoft-teams - 响应调用时正文始终为空
- javascript - 除非我刷新页面,否则猫头鹰轮播不起作用
- json - 无法在本地连接到远程服务器
- php - Yii2: 如何获取 $this 的属性?