在配置图中使用Kubernetes机密 [英] Using kubernetes secrets in a configmap

问题描述

我在Kubernetes集群上使用Helm并安装了稳定的 rabbitmq-ha图表.我想将数据推送到Logstash的Rabbitmq交换中.我正在尝试使用 logstash稳定图表.

I'm using Helm on a Kubernetes cluster and have installed the stable rabbitmq-ha chart. I would like to push data to an exchange in rabbitmq from Logstash. I am trying to use the logstash stable chart.

rabbitmq-ha图表创建了一个秘密，其中包含用于与其连接的密码.我希望能够获得该密码并将其包含在logstash配置中，以便logstash可以连接到它.

The rabbitmq-ha chart has created a secret that contains the password to connect to it. I'd like to be able to get that password and include it in the logstash configuration so that logstash can connect to it.

logstash的ConfigMap使用值文件中的项目进行模板化.

The ConfigMap for logstash is templated using items from the values file.

  outputs:
    main: |-
      output {
        rabbitmq {
          exchange => "exchange_name"
          exchange_type => "fanout"
          host => "rabbitmq-ha.default.svc.cluster.local"
          password => "????"
        }
      }

我不想在值文件中对密码进行硬编码，因为这对安全性不是很好，这意味着需要为每个环境复制配置.我看不到让logstash从环境变量读取密码的方法.

I don't want to hard-code the password in the values file because that's not great for security and it would mean duplicating the configuration for each environment. I can't see a way to get logstash to read the password from an environment variable.

人们通常如何做到这一点?

How do people normally do this?

我可以使用 helm secrets 来存储整个outputs配置并包括硬性-编码密码.这样可以避免在我的存储库中使用纯文本密码，但仍然感觉不是最好的方法.

I could use helm secrets to store the whole outputs configuration and include hard-coded passwords. That would avoid having plain-text passwords in my repository but still doesn't feel like the best way.

推荐答案

结果表明，至少从5.0版本的logstash以来，就有可能使logstash从环境变量中读取值. https://www.elastic.co/guide/zh/logstash/current/environment-variables.html

Turns out that it is possible to get logstash to read values from the environment variables since at least version 5.0 of logstash. https://www.elastic.co/guide/en/logstash/current/environment-variables.html

所以我的值文件看起来像

So my values file can look like

  outputs:
    main: |-
      output {
        rabbitmq {
          exchange => "exchange_name"
          exchange_type => "fanout"
          host => "rabbitmq-ha.default.svc.cluster.local"
          password => "${RMQ_PASSWORD}"
        }
      }

logstash图表允许使用extraEnv值将环境变量添加到状态集. extraEnv允许值来自秘密.

The logstash chart allows environment variables to be added to the statefulset using an extraEnv value. The extraEnv allows values to come from secrets.

  extraEnv:
    - name: RMQ_PASSWORD
      valueFrom:
        secretKeyRef:
          name: rabbitmq-ha
          key: rabbitmq-password

这篇关于在配置图中使用Kubernetes机密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！