使用Docker构建策略从OpenShift秘密中填充环境变量 [英] Populate environment variables from OpenShift secret with Docker build strategy
问题描述
我想在构建容器中的不透明OpenShift机密上用作环境变量.该机密包含三个键值对,因此它们应该可以作为三个环境变量使用. (这适用于OpenShift 3.9).
I would like to use on opaque OpenShift secret inside a build pod as environment variable. The secret contains three key-value pairs, so they should become available as three environment variables. (This is for OpenShift 3.9).
我为OpenShift的来源找到了记录的示例构建策略(sourceStrategy
),但是在使用Docker构建策略(dockerStrategy
)的构建配置的上下文中需要此策略. oc explain
建议将秘密提取到环境变量中应同时适用于这两种构建策略.到目前为止,一切都很好:
I have found a documented example for OpenShift's Source build strategy (sourceStrategy
), but need this in the context of a build configuration with Docker build strategy (dockerStrategy
). oc explain
suggests that extraction of secrets into environment variables should work with both build strategies. So far, so good:
oc explain bc.spec.strategy.sourceStrategy.env.valueFrom.secretKeyRef
oc explain bc.spec.strategy.dockerStrategy.env.valueFrom.secretKeyRef
我的构建配置是通过模板创建的,因此我添加了如下部分作为dockerStragegy
的同级,其中模板引用了构建配置:
My build configuration is created from a template, so I have added a section like this as a sibling of dockerStragegy
where the template refers to the build configuration:
env:
- name: SECRET_1
valueFrom:
secretKeyRef:
name: my-secret
key: role-1
- name: SECRET_2
valueFrom:
secretKeyRef:
name: my-secret
key: role-2
- name: SECRET_3
valueFrom:
secretKeyRef:
name: my-secret
key: role-3
秘密是这样创建的:
oc create secret generic my-secret \
--from-literal=role-1=... --from-literal=role-2=... --from-literal=role-3=...
上载新模板(使用oc replace
)并重新创建应用程序,并由此创建应用程序的构建配置(使用oc new-app
)后,我观察到以下内容:
After uploading the new template (with oc replace
) and recreating the application and hence the build configuration from it (with oc new-app
) I observe the following:
- 模板包含预期的
env
(已通过oc get template -o yaml
选中). - 构建配置不包含所需的
env
(已通过oc get bc -o yaml
选中).
- The template contains
env
as expected (checked withoc get template -o yaml
). - The build configuration does not contain the desired
env
(checked withoc get bc -o yaml
).
为什么和我正确的假设是,可以在Docker构建策略的环境变量中使用秘密,这可能是我正确的原因.对于上下文:我的Dockerfile建立了一个关系数据库(在其ENTRYPOINT
脚本中),并且需要为三个角色配置密码,而这些密码应该是出于秘密.
What could be the reason why and am I correct in assuming that secrets can be made available inside environment variables for the Docker build strategy. For context: my Dockerfile sets up a relational database (in its ENTRYPOINT
script), and needs to configure passwords for three roles, and these should stem from the secret.
推荐答案
这是我的错误:env
应该作为模板中dockerStrategy
的子级(而不是同级)存在(如
This was my mistake: env
should reside as a child (not sibling) of dockerStrategy
inside the template (as had already been suggested by oc explain
's cited path). I've now fixed this, and so the desired parts now show up both in the template and in the build configuration.
这篇关于使用Docker构建策略从OpenShift秘密中填充环境变量的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!