如何使用Spring Boot将Google Secret Manager中的机密作为环境变量注入Kubernetes Pod中? [英] How to inject secret from Google Secret Manager into Kubernetes Pod as environment variable with Spring Boot?

问题描述

在布莱恩(Bryan)的一生中，我该怎么做?

For the life of Bryan, how do I do this?

Terraform 用于在GCP中创建SQL Server实例.根密码和用户密码是随机生成的，然后放入Google Secret Manager中.数据库的IP通过私有DNS区域公开.

Terraform is used to create an SQL Server instance in GCP. Root password and user passwords are randomly generated, then put into the Google Secret Manager. The DB's IP is exposed via private DNS zone.

我现在如何获取用户名和密码来访问数据库到我的K8s集群中?在此处运行Spring Boot应用.

How can I now get the username and password to access the DB into my K8s cluster? Running a Spring Boot app here.

这是我想到的一种选择:

This was one option I thought of:

在我的部署中，我添加一个 initContainer :

In my deployment I add an initContainer:

- name: secrets
  image: gcr.io/google.com/cloudsdktool/cloud-sdk
  args: 
  - echo "DB_PASSWORD=$(gcloud secrets versions access latest --secret=\"$NAME_OF_SECRET\")" >> super_secret.env

好的，现在怎么办?如何从这里将其放入我的应用程序容器?

Okay, what now? How do I get it into my application container from here?

还有其他选项，例如 bitnami/sealed-secrets ，我不喜欢这些选项，因为安装程序已经在使用 Terraform 并将秘密保存在GCP中.使用 sealed-secrets 时，我可以跳过使用机密管理器.与 Vault IMO相同.

There are also options like bitnami/sealed-secrets, which I don't like since the setup is using Terraform already and saving the secrets in GCP. When using sealed-secrets I could skip using the secrets manager. Same with Vault IMO.

推荐答案

您可以使用 spring-cloud-gcp-starter-secretmanager 从Spring应用程序本身加载机密.

You can use spring-cloud-gcp-starter-secretmanager to load secrets from Spring application itself.

文档- https://cloud.spring.io/spring-cloud-gcp/reference/html/#secret-manager

这篇关于如何使用Spring Boot将Google Secret Manager中的机密作为环境变量注入Kubernetes Pod中?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！