时间戳

首页 > 解决方案 > 如何进行自定义资源定义以从 kubernetes 机密中读取值

kubernetes - 如何进行自定义资源定义以从 kubernetes 机密中读取值

问题描述

我正在开发基于 ansible 的 kubernetes 算子。我正在尝试从 let's encrypt 发布的 kubernetes 机密中读取 tls.key 和 tls.crt,并使用 ansible 任务将其转换为 Windows IIS 证书。

apiVersion: win-cert.test.net/v1alpha1
kind: WindowsCert
metadata:
  name: windowscert-sample
spec:
  pfx_file: test
  pfx_state: present
  pfx_crt: 
    valueFrom:
      secretKeyRef:
        name: cert-manager
        key: tls.crt
  pfx_key:
    valueFrom:
      secretKeyRef:
        name: cert-manager
        key: tls.key

  pfx_ca: ''
  
  pfx_output_file: ''

我的自定义资源定义如下所示:

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: windowscerts.win-cert.tests.net
spec:
  group: win-cert.test.net
  names:
    kind: WindowsCert
    listKind: WindowsCertList
    plural: windowscerts
    singular: windowscert
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: WindowsCert is the Schema for the windowscerts API
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: Spec defines the desired state of WindowsCert
            type: object
            x-kubernetes-preserve-unknown-fields: true
            properties:
              cronSpec:
                description: 'Specify under crontab format interval to run windows cert ansible playbook'
                type: string
                pattern: '^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$'
                default: "5 0 * * *"
              pfx_file:
                type: string
              pfx_state: 
                type: string
              pfx_crt:
                type: string
              pfx_ca: 
                type: string
              pfx_key:
                type: string
              pfx_output_file:
                type: string
          status:
            description: Status defines the observed state of WindowsCert
            type: object
            x-kubernetes-preserve-unknown-fields: true
        type: object
    served: true
    storage: true
    subresources:
      status: {}

如何使用秘密值填充此字段 pfx_key 和 cert 字段?

标签: kubernetesopenshift

解决方案

Ansible 提供了用于检索对象的k8s_info模块。

你应该可以使用这样的块

- name: Get the secret passed into our CRD
  community.kubernetes.k8s_info:
    api_version: v1
    kind: Secret
    name: foobar
    namespace: bizbang
  register: my_secret

但是......我真的建议不要使用操作员框架来完成这项任务。Kubernetes 和运营商框架将增加比所需更多的问题和复杂性。

查看letsencrypt模块。

推荐阅读