blu*_*sky 6 python docker kubernetes docker-secrets kubernetes-secrets
I\xe2\x80\x99m 打包一个 Python 应用程序以在 Kubernetes 集群中使用。在代码库中存在此方法:
\n def get_pymongo_client(self):\n username = test;\n password = \'test\';\n url = \xe2\x80\x98test\n conn_str = "mongodb+srv://" + username + ":" + password + \xe2\x80\x9c/\xe2\x80\x9d+ url\n\n return pymongo.MongoClient(conn_str)\nI\xe2\x80\x99m 尝试保护用户名、密码和 URL 字段,以便它们在 src 代码中不可见。为此,我打算使用秘密。
\nURL https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/详细介绍了如何创建密钥。但我\xe2\x80\x99m 不知道如何从Python 应用程序读取秘密。
\n我的应用程序的 .Dockerfile:
\n#https://docs.docker.com/language/python/build-images/\n\nFROM python:3.8-slim-buster\n\nWORKDIR /app\n\nCOPY requirements.txt requirements.txt\n\nRUN pip3 install -r requirements.txt\n\nCOPY . .\n\nCMD [ "python3", "-m" , "flask", "run", "--host=0.0.0.0"]\n阅读Python Flask application access to docker Secrets in a swarm详细介绍了 docker-compose 文件中的 Secrets 使用情况,这对于 Kubernetes 来说也是必需的吗?从 Python src 代码文件中读取秘密参数涉及哪些步骤?
\nmda*_*iel 15
传统的方式是通过环境变量
spec:
containers:
- name: your-app
# ...
env:
- name: PYMONGO_USERNAME
valueFrom:
secretKeyRef:
name: your-secret-name-here
key: PYMONGO_USERNAME
或者,您可以通过使用格式良好的 Secret 和“envFrom:”字段来使 yaml 不那么啰嗦
kind: Secret
metadata:
name: pymongo
stringData:
PYMONGO_USERNAME: test
PYMONGO_PASSWORD: sekrit
---
spec:
containers:
- name: your-app
envFrom:
- secretRef:
name: pymongo
# and now the pod has all environment variables matching the keys in the Secret
然后你的代码会像平常一样从它的环境中读取它
def get_pymongo_client(self):
username = os.getenv('PYMONGO_USERNAME')
password = os.getenv('PYMONGO_PASSWORD')
# etc
另一种类似的想法是将Secret 挂载到文件系统上,然后像读取文件一样读取值
spec:
containers:
- name: your-app
env:
# this part is 100% optional, but allows for easier local development
- name: SECRETS_PATH
value: /secrets
volumeMounts:
- name: pymongo
mountPath: /secrets
volumes:
- name: pymongo
secret:
secretName: your-secret-name-here
然后:
def get_pymongo_client(self):
sec_path = os.getenv('SECRETS_PATH', './secrets')
with open(os.path.join(sec_path, 'PYMONGO_USERNAME')) as fh:
username = fh.read()
| 归档时间: |
|
| 查看次数: |
8693 次 |
| 最近记录: |