无法使用Google Cloud Kubernetes替代品 [英] Can't use Google Cloud Kubernetes substitutions
问题描述
很显然,我做错了事情,但是我不明白问题出在哪里.我是Kubernetes的新手.
Obviously, I'm doing something in the wrong way, but I can't understand where is the problem. I'm a new to Kubernetes.
有一个Node.js应用程序,我可以将其包装到Docker并部署到Google Compute引擎(它与Git触发器一起使用,并在本地使用).这里最重要的是-有env变量,其中一些是秘密的,使用密钥加密. Google也使用它来解密值,并在构建过程中将其提供给应用程序(所有操作均基于Google文档完成).现在,我试图更改cloudbuild.yaml
文件以获取Kubernetes配置.
There is the Node.js app, I'm able to wrap it to the Docker and deploy to Google Compute engine (it works with Git trigger and locally). The most important thing here - there are env variables, some of them are secret, encrypted with key. Google uses it too to decrypt values and give them to the application during the build process (everything is done based on Google docs). Now I'm trying to change cloudbuild.yaml
file to get Kubernetes config.
cloudbuild.yaml (从Docker切换到Kubernetes后,部分设置可能是多余的).在cloudbuild.yaml
中没有下面标记的部分,我得到以下错误:
cloudbuild.yaml (part of settings may be redundant after switching from Docker to Kubernetes). Without marked section below in cloudbuild.yaml
I'm getting the following error:
合并替换和验证内部版本时出错:验证错误 内部版本:替换数据中的键"_DB_HOST"与 模板;替换数据中的键"_STATIC_SECRET"不匹配 在模板中;替换数据中的键"_TYPEORM_DATABASE"为 模板中不匹配;关键字"_TYPEORM_PASSWORD" 模板中的替代数据不匹配;密钥 替换数据中的"_TYPEORM_USERNAME"与 模板 引用
Error merging substitutions and validating build: Error validating build: key "_DB_HOST" in the substitution data is not matched in the template;key "_STATIC_SECRET" in the substitution data is not matched in the template;key "_TYPEORM_DATABASE" in the substitution data is not matched in the template;key "_TYPEORM_PASSWORD" in the substitution data is not matched in the template;key "_TYPEORM_USERNAME" in the substitution data is not matched in the template Blockquote
这是正确的,因为Google将未使用的替换视为错误.但是,如果我离开标记的部分,则会出现此错误:
which is correct because Google considers unused substitutions as errors. But if I leave marked section I'm getting this error:
合并替换和验证内部版本时出错:验证错误 build:无效的.secrets字段:secret 0定义无secretEnvs
Error merging substitutions and validating build: Error validating build: invalid .secrets field: secret 0 defines no secretEnvs
这对我来说完全不清楚.
which is totally unclear for me.
cloudbuild文件:
cloudbuild file:
steps:
- name: 'gcr.io/cloud-builders/docker'
entrypoint: 'bash'
args: [
'-c',
'docker pull gcr.io/$PROJECT_ID/myproject:latest || exit 0'
]
- name: 'gcr.io/cloud-builders/docker'
args: [
'build',
'-t',
'gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA',
'-t',
'gcr.io/$PROJECT_ID/myproject:latest',
# <<<<<------- START OF DESCRIBED SECTION
'DB_HOST=${_DB_HOST}',
'TYPEORM_DATABASE=${_TYPEORM_DATABASE}',
'TYPEORM_PASSWORD=${_TYPEORM_PASSWORD}',
'TYPEORM_USERNAME=${_TYPEORM_USERNAME}',
'STATIC_SECRET=${_STATIC_SECRET}',
# <<<<<------- END OF DESCRIBED SECTION
'.'
]
- name: 'gcr.io/cloud-builders/kubectl'
args: [ 'apply', '-f', '/' ]
env:
- 'CLOUDSDK_COMPUTE_ZONE=<region>'
- 'CLOUDSDK_CONTAINER_CLUSTER=myproject'
- name: 'gcr.io/cloud-builders/kubectl'
args: [
'set',
'image',
'deployment',
'myproject',
'myproject=gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA'
]
env:
- 'CLOUDSDK_COMPUTE_ZONE=<region>'
- 'CLOUDSDK_CONTAINER_CLUSTER=myproject'
- 'DB_PORT=5432'
- 'DB_SCHEMA=public'
- 'TYPEORM_CONNECTION=postgres'
- 'FE=myproject'
- 'V=1'
- 'CLEAR_DB=true'
- 'BUCKET_NAME=myproject'
- 'BUCKET_TYPE=google'
- 'KMS_KEY_NAME=storagekey'
secretEnv:
- DB_HOST,
- TYPEORM_DATABASE,
- TYPEORM_PASSWORD,
- TYPEORM_USERNAME,
- STATIC_SECRET
timeout: 1600s
substitutions:
_DB_HOST: $DB_HOST
_TYPEORM_DATABASE: $TYPEORM_DATABASE
_TYPEORM_PASSWORD: $TYPEORM_PASSWORD
_TYPEORM_USERNAME: $TYPEORM_USERNAME
_STATIC_SECRET: $STATIC_SECRET
secrets:
- kmsKeyName: projects/myproject/locations/global/keyRings/storage/cryptoKeys/storagekey
- secretEnv:
DB_HOST: <encrypted base64 here>
TYPEORM_DATABASE: <encrypted base64 here>
TYPEORM_PASSWORD: <encrypted base64 here>
TYPEORM_USERNAME: <encrypted base64 here>
STATIC_SECRET: <encrypted base64 here>
images:
- 'gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA'
- 'gcr.io/$PROJECT_ID/myproject:latest'
secret.yaml 文件(应在kubectl中注册):
secret.yaml file (registered in kubectl as it should be):
apiVersion: v1
kind: Secret
metadata:
name: myproject
type: Opaque
data:
DB_HOST: <encrypted base64 here>
TYPEORM_DATABASE: <encrypted base64 here>
TYPEORM_PASSWORD: <encrypted base64 here>
TYPEORM_USERNAME: <encrypted base64 here>
STATIC_SECRET: <encrypted base64 here>
pod.yaml 文件
apiVersion: v1
kind: Pod
metadata:
name: myproject
spec:
containers:
- name: myproject
image: gcr.io/myproject/myproject:latest
# project ID is valid here, don't bother on mock values
env:
- name: DB_HOST
valueFrom:
secretKeyRef:
name: myproject
key: DB_HOST
- name: TYPEORM_DATABASE
valueFrom:
secretKeyRef:
name: myproject
key: TYPEORM_DATABASE
- name: TYPEORM_PASSWORD
valueFrom:
secretKeyRef:
name: myproject
key: TYPEORM_PASSWORD
- name: TYPEORM_USERNAME
valueFrom:
secretKeyRef:
name: myproject
key: TYPEORM_USERNAME
- name: STATIC_SECRET
valueFrom:
secretKeyRef:
name: myproject
key: STATIC_SECRET
restartPolicy: Never
推荐答案
我认为,您混合了太多东西,您的旧版本和新版本.如果您的机密已经设置在集群中,那么在构建时就不需要它们了.
I think, you mix too many things, your legacy build and your new one. If your secrets are already set in your cluster, you don't need them at the build time.
尝试此操作,只需部署所需的步骤(无替代,无秘密,无KMS)
Try this, with only the required step for deploying (no substitution, no secret, no KMS)
steps:
- name: 'gcr.io/cloud-builders/docker'
entrypoint: 'bash'
args: [
'-c',
'docker pull gcr.io/$PROJECT_ID/myproject:latest || exit 0'
]
- name: 'gcr.io/cloud-builders/docker'
args: [
'build',
'-t',
'gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA',
'-t',
'gcr.io/$PROJECT_ID/myproject:latest',
'.'
]
- name: 'gcr.io/cloud-builders/kubectl'
args: [ 'apply', '-f', '/' ]
env:
- 'CLOUDSDK_COMPUTE_ZONE=<region>'
- 'CLOUDSDK_CONTAINER_CLUSTER=myproject'
- name: 'gcr.io/cloud-builders/kubectl'
args: [
'set',
'image',
'deployment',
'myproject',
'myproject=gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA'
]
env:
- 'CLOUDSDK_COMPUTE_ZONE=<region>'
- 'CLOUDSDK_CONTAINER_CLUSTER=myproject'
- 'DB_PORT=5432'
- 'DB_SCHEMA=public'
- 'TYPEORM_CONNECTION=postgres'
- 'FE=myproject'
- 'V=1'
- 'CLEAR_DB=true'
- 'BUCKET_NAME=myproject'
- 'BUCKET_TYPE=google'
- 'KMS_KEY_NAME=storagekey'
timeout: 1600s
images:
- 'gcr.io/$PROJECT_ID/myproject:$BRANCH_NAME-$COMMIT_SHA'
- 'gcr.io/$PROJECT_ID/myproject:latest
这篇关于无法使用Google Cloud Kubernetes替代品的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!