kubernetes - 如何进行自定义资源定义以从 kubernetes 机密中读取值
问题描述
我正在开发基于 ansible 的 kubernetes 算子。我正在尝试从 let's encrypt 发布的 kubernetes 机密中读取 tls.key 和 tls.crt,并使用 ansible 任务将其转换为 Windows IIS 证书。
apiVersion: win-cert.test.net/v1alpha1
kind: WindowsCert
metadata:
name: windowscert-sample
spec:
pfx_file: test
pfx_state: present
pfx_crt:
valueFrom:
secretKeyRef:
name: cert-manager
key: tls.crt
pfx_key:
valueFrom:
secretKeyRef:
name: cert-manager
key: tls.key
pfx_ca: ''
pfx_output_file: ''
我的自定义资源定义如下所示:
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: windowscerts.win-cert.tests.net
spec:
group: win-cert.test.net
names:
kind: WindowsCert
listKind: WindowsCertList
plural: windowscerts
singular: windowscert
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: WindowsCert is the Schema for the windowscerts API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of WindowsCert
type: object
x-kubernetes-preserve-unknown-fields: true
properties:
cronSpec:
description: 'Specify under crontab format interval to run windows cert ansible playbook'
type: string
pattern: '^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$'
default: "5 0 * * *"
pfx_file:
type: string
pfx_state:
type: string
pfx_crt:
type: string
pfx_ca:
type: string
pfx_key:
type: string
pfx_output_file:
type: string
status:
description: Status defines the observed state of WindowsCert
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
subresources:
status: {}
如何使用秘密值填充此字段 pfx_key 和 cert 字段?
解决方案
Ansible 提供了用于检索对象的k8s_info模块。
你应该可以使用这样的块
- name: Get the secret passed into our CRD
community.kubernetes.k8s_info:
api_version: v1
kind: Secret
name: foobar
namespace: bizbang
register: my_secret
但是......我真的建议不要使用操作员框架来完成这项任务。Kubernetes 和运营商框架将增加比所需更多的问题和复杂性。
查看letsencrypt模块。
推荐阅读
- c - 为什么 gcc 会改变二进制中函数的顺序?
- javascript - 在 React 中,如何根据子组件计算父组件的宽度?
- node.js - 每次重新启动 npm run dev 时,端口 3000 已在使用中
- resttemplate - 模拟 bean 无法在单元测试中注入依赖关系
- javascript - 用克隆元素替换元素后事件不起作用
- php - 为什么我在升级后未定义身份验证用户提供程序 [eloquent.multiple]
- bash - 数组的值未正确与数字进行比较
- c# - 如何在paint.net 中获取当前活动图像的名称?
- c# - ASP。带有 cookie 身份验证的 Net Core 2.2:当未授权仅 API 控制器时如何避免页面重定向
- elasticsearch - Elasticsearch 中的多字段聚合