无法使用Google Cloud Kubernetes替代品 [英] Can't use Google Cloud Kubernetes substitutions

问题描述

很显然，我做错了事情，但是我不明白问题出在哪里.我是Kubernetes的新手.

Obviously, I'm doing something in the wrong way, but I can't understand where is the problem. I'm a new to Kubernetes.

有一个Node.js应用程序，我可以将其包装到Docker并部署到Google Compute引擎(它与Git触发器一起使用，并在本地使用).这里最重要的是-有env变量，其中一些是秘密的，使用密钥加密. Google也使用它来解密值，并在构建过程中将其提供给应用程序(所有操作均基于Google文档完成).现在，我试图更改cloudbuild.yaml文件以获取Kubernetes配置.

There is the Node.js app, I'm able to wrap it to the Docker and deploy to Google Compute engine (it works with Git trigger and locally). The most important thing here - there are env variables, some of them are secret, encrypted with key. Google uses it too to decrypt values and give them to the application during the build process (everything is done based on Google docs). Now I'm trying to change cloudbuild.yaml file to get Kubernetes config.

cloudbuild.yaml (从Docker切换到Kubernetes后，部分设置可能是多余的).在cloudbuild.yaml中没有下面标记的部分，我得到以下错误:

cloudbuild.yaml (part of settings may be redundant after switching from Docker to Kubernetes). Without marked section below in cloudbuild.yaml I'm getting the following error:

合并替换和验证内部版本时出错:验证错误 内部版本:替换数据中的键"_DB_HOST"与 模板；替换数据中的键"_STATIC_SECRET"不匹配 在模板中；替换数据中的键"_TYPEORM_DATABASE"为 模板中不匹配；关键字"_TYPEORM_PASSWORD" 模板中的替代数据不匹配；密钥 替换数据中的"_TYPEORM_USERNAME"与 模板 引用

Error merging substitutions and validating build: Error validating build: key "_DB_HOST" in the substitution data is not matched in the template;key "_STATIC_SECRET" in the substitution data is not matched in the template;key "_TYPEORM_DATABASE" in the substitution data is not matched in the template;key "_TYPEORM_PASSWORD" in the substitution data is not matched in the template;key "_TYPEORM_USERNAME" in the substitution data is not matched in the template Blockquote

这是正确的，因为Google将未使用的替换视为错误.但是，如果我离开标记的部分，则会出现此错误:

which is correct because Google considers unused substitutions as errors. But if I leave marked section I'm getting this error:

合并替换和验证内部版本时出错:验证错误 build:无效的.secrets字段:secret 0定义无secretEnvs

Error merging substitutions and validating build: Error validating build: invalid .secrets field: secret 0 defines no secretEnvs

这对我来说完全不清楚.

which is totally unclear for me.

cloudbuild文件:

cloudbuild file:

steps:
  - name: 'gcr.io/cloud-builders/docker'
    entrypoint: 'bash'
    args: [
      '-c',
      'docker pull gcr.io/$PROJECT_ID/myproject:latest || exit 0'
    ]
  - name: 'gcr.io/cloud-builders/docker'
    args: [
      'build',
      '-t',
      'gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA',
      '-t',
      'gcr.io/$PROJECT_ID/myproject:latest',
# <<<<<------- START OF DESCRIBED SECTION
      'DB_HOST=${_DB_HOST}',
      'TYPEORM_DATABASE=${_TYPEORM_DATABASE}',
      'TYPEORM_PASSWORD=${_TYPEORM_PASSWORD}',
      'TYPEORM_USERNAME=${_TYPEORM_USERNAME}',
      'STATIC_SECRET=${_STATIC_SECRET}',
# <<<<<------- END OF DESCRIBED SECTION
      '.'
    ]
  - name: 'gcr.io/cloud-builders/kubectl'
    args: [ 'apply', '-f', '/' ]
    env:
      - 'CLOUDSDK_COMPUTE_ZONE=<region>'
      - 'CLOUDSDK_CONTAINER_CLUSTER=myproject'
  - name: 'gcr.io/cloud-builders/kubectl'
    args: [
      'set',
      'image',
      'deployment',
      'myproject',
      'myproject=gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA'
    ]
    env:
      - 'CLOUDSDK_COMPUTE_ZONE=<region>'
      - 'CLOUDSDK_CONTAINER_CLUSTER=myproject'
      - 'DB_PORT=5432'
      - 'DB_SCHEMA=public'
      - 'TYPEORM_CONNECTION=postgres'
      - 'FE=myproject'
      - 'V=1'
      - 'CLEAR_DB=true'
      - 'BUCKET_NAME=myproject'
      - 'BUCKET_TYPE=google'
      - 'KMS_KEY_NAME=storagekey'
    secretEnv:
      - DB_HOST,
      - TYPEORM_DATABASE,
      - TYPEORM_PASSWORD,
      - TYPEORM_USERNAME,
      - STATIC_SECRET
timeout: 1600s
substitutions:
  _DB_HOST: $DB_HOST
  _TYPEORM_DATABASE: $TYPEORM_DATABASE
  _TYPEORM_PASSWORD: $TYPEORM_PASSWORD
  _TYPEORM_USERNAME: $TYPEORM_USERNAME
  _STATIC_SECRET: $STATIC_SECRET
secrets:
  - kmsKeyName: projects/myproject/locations/global/keyRings/storage/cryptoKeys/storagekey
  - secretEnv:
      DB_HOST: <encrypted base64 here>
      TYPEORM_DATABASE: <encrypted base64 here>
      TYPEORM_PASSWORD: <encrypted base64 here>
      TYPEORM_USERNAME: <encrypted base64 here>
      STATIC_SECRET: <encrypted base64 here>
images:
  - 'gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA'
  - 'gcr.io/$PROJECT_ID/myproject:latest'

secret.yaml 文件(应在kubectl中注册):

secret.yaml file (registered in kubectl as it should be):

apiVersion: v1
kind: Secret
metadata:
  name: myproject
type: Opaque
data:
  DB_HOST: <encrypted base64 here>
  TYPEORM_DATABASE: <encrypted base64 here>
  TYPEORM_PASSWORD: <encrypted base64 here>
  TYPEORM_USERNAME: <encrypted base64 here>
  STATIC_SECRET: <encrypted base64 here>

pod.yaml 文件

apiVersion: v1
kind: Pod
metadata:
  name: myproject
spec:
  containers:
    - name: myproject
      image: gcr.io/myproject/myproject:latest
      # project ID is valid here, don't bother on mock values
      env:
        - name: DB_HOST
          valueFrom:
            secretKeyRef:
              name: myproject
              key: DB_HOST
        - name: TYPEORM_DATABASE
          valueFrom:
            secretKeyRef:
              name: myproject
              key: TYPEORM_DATABASE
        - name: TYPEORM_PASSWORD
          valueFrom:
            secretKeyRef:
              name: myproject
              key: TYPEORM_PASSWORD
        - name: TYPEORM_USERNAME
          valueFrom:
            secretKeyRef:
              name: myproject
              key: TYPEORM_USERNAME
        - name: STATIC_SECRET
          valueFrom:
            secretKeyRef:
              name: myproject
              key: STATIC_SECRET
    restartPolicy: Never

推荐答案

我认为，您混合了太多东西，您的旧版本和新版本.如果您的机密已经设置在集群中，那么在构建时就不需要它们了.

I think, you mix too many things, your legacy build and your new one. If your secrets are already set in your cluster, you don't need them at the build time.

尝试此操作，只需部署所需的步骤(无替代，无秘密，无KMS)

Try this, with only the required step for deploying (no substitution, no secret, no KMS)

steps:
  - name: 'gcr.io/cloud-builders/docker'
    entrypoint: 'bash'
    args: [
      '-c',
      'docker pull gcr.io/$PROJECT_ID/myproject:latest || exit 0'
    ]
  - name: 'gcr.io/cloud-builders/docker'
    args: [
      'build',
      '-t',
      'gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA',
      '-t',
      'gcr.io/$PROJECT_ID/myproject:latest',
      '.'
    ]
  - name: 'gcr.io/cloud-builders/kubectl'
    args: [ 'apply', '-f', '/' ]
    env:
      - 'CLOUDSDK_COMPUTE_ZONE=<region>'
      - 'CLOUDSDK_CONTAINER_CLUSTER=myproject'
  - name: 'gcr.io/cloud-builders/kubectl'
    args: [
      'set',
      'image',
      'deployment',
      'myproject',
      'myproject=gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA'
    ]
    env:
      - 'CLOUDSDK_COMPUTE_ZONE=<region>'
      - 'CLOUDSDK_CONTAINER_CLUSTER=myproject'
      - 'DB_PORT=5432'
      - 'DB_SCHEMA=public'
      - 'TYPEORM_CONNECTION=postgres'
      - 'FE=myproject'
      - 'V=1'
      - 'CLEAR_DB=true'
      - 'BUCKET_NAME=myproject'
      - 'BUCKET_TYPE=google'
      - 'KMS_KEY_NAME=storagekey'
timeout: 1600s
images:
  - 'gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA'
  - 'gcr.io/$PROJECT_ID/myproject:latest

这篇关于无法使用Google Cloud Kubernetes替代品的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！