使用 Kubernetes Secret for PostgreSQL ENV 导致应用程序 Pod 崩溃

Question

使用 Kubernetes Secret for PostgreSQL ENV 导致应用程序 Pod 崩溃

h1a*_*bel 1 java postgresql spring-boot kubernetes kubernetes-secrets

我在将 Kubernetes Secret 的值注入 Pod env 时遇到问题。我有以下内容pg-secrets.yml：

apiVersion: v1
kind: Secret
metadata:
  name: pg-secrets
type: Opaque
data:
  POSTGRES_USER: cG9zdGdyZXMK
  POSTGRES_PASSWORD: cGFzc3dvcmQK
#   postgres & password

Run Code Online (Sandbox Code Playgroud)

然后我将 POSTGRES_PASSWORD 从它注入到application-deployment.ymlENV：

apiVersion: apps/v1
kind: Deployment
   ...
    spec:
      containers:
        - name: realo
          image: abialiauski/realo
          imagePullPolicy: Always
          ports:
            - containerPort: 8080
          env:
            - name: PG_USERNAME
              valueFrom:
                configMapKeyRef:
                  name: realo-configmap
                  key: PG_USERNAME
            - name: PG_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: pg-secrets
                  key: POSTGRES_PASSWORD
            - name: PG_HOST
              value: postgres

Run Code Online (Sandbox Code Playgroud)

并有这个application.yml：

spring:
  application:
    name: realo
  datasource:
    username: ${PG_USERNAME}
    password: ${PG_PASSWORD}
    url: jdbc:postgresql://${PG_HOST}:5432/postgres
    driver-class-name: org.postgresql.Driver

Run Code Online (Sandbox Code Playgroud)

因此，启动 PostgreSQL 后，后端应用程序崩溃并拒绝数据库连接，并出现以下异常：

Caused by: org.postgresql.util.PSQLException: Something unusual has occurred to cause the driver to fail. Please report this exception.
    at org.postgresql.Driver.connect(Driver.java:282) ~[postgresql-42.3.8.jar:42.3.8]
    at com.zaxxer.hikari.util.DriverDataSource.getConnection(DriverDataSource.java:138) ~[HikariCP-4.0.3.jar:na]
    at com.zaxxer.hikari.pool.PoolBase.newConnection(PoolBase.java:364) ~[HikariCP-4.0.3.jar:na]
    at com.zaxxer.hikari.pool.PoolBase.newPoolEntry(PoolBase.java:206) ~[HikariCP-4.0.3.jar:na]
    at com.zaxxer.hikari.pool.HikariPool.createPoolEntry(HikariPool.java:476) ~[HikariCP-4.0.3.jar:na]
    at com.zaxxer.hikari.pool.HikariPool.checkFailFast(HikariPool.java:561) ~[HikariCP-4.0.3.jar:na]
    at com.zaxxer.hikari.pool.HikariPool.<init>(HikariPool.java:115) ~[HikariCP-4.0.3.jar:na]
    at com.zaxxer.hikari.HikariDataSource.getConnection(HikariDataSource.java:112) ~[HikariCP-4.0.3.jar:na]
    at liquibase.integration.spring.SpringLiquibase.afterPropertiesSet(SpringLiquibase.java:266) ~[liquibase-core-4.9.1.jar:na]
    ... 180 common frames omitted
Caused by: java.lang.IllegalArgumentException: Prohibited character

    at org.postgresql.shaded.com.ongres.saslprep.SaslPrep.saslPrep(SaslPrep.java:105) ~[postgresql-42.3.8.jar:42.3.8]
    at org.postgresql.shaded.com.ongres.scram.common.stringprep.StringPreparations$2.doNormalize(StringPreparations.java:55) ~[postgresql-42.3.8.jar:42.3.8]
    at org.postgresql.shaded.com.ongres.scram.common.stringprep.StringPreparations.normalize(StringPreparations.java:65) ~[postgresql-42.3.8.jar:42.3.8]
    at org.postgresql.shaded.com.ongres.scram.common.ScramMechanisms.saltedPassword(ScramMechanisms.java:152) ~[postgresql-42.3.8.jar:42.3.8]
    at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.saltedPassword(ScramFunctions.java:59) ~[postgresql-42.3.8.jar:42.3.8]
    at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:196) ~[postgresql-42.3.8.jar:42.3.8]
    at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:163) ~[postgresql-42.3.8.jar:42.3.8]
    at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ServerFirstProcessor.clientFinalProcessor(ScramSession.java:130) ~[postgresql-42.3.8.jar:42.3.8]
    at org.postgresql.jre7.sasl.ScramAuthenticator.processServerFirstMessage(ScramAuthenticator.java:147) ~[postgresql-42.3.8.jar:42.3.8]
    at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:816) ~[postgresql-42.3.8.jar:42.3.8]
    at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:180) ~[postgresql-42.3.8.jar:42.3.8]
    at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:235) ~[postgresql-42.3.8.jar:42.3.8]
    at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49) ~[postgresql-42.3.8.jar:42.3.8]
    at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:223) ~[postgresql-42.3.8.jar:42.3.8]
    at org.postgresql.Driver.makeConnection(Driver.java:402) ~[postgresql-42.3.8.jar:42.3.8]
    at org.postgresql.Driver.connect(Driver.java:261) ~[postgresql-42.3.8.jar:42.3.8]
    ... 188 common frames omitted

Run Code Online (Sandbox Code Playgroud)

如果我检查 ENV 一切都会好的，但后端仍然失败。

kubectl exec -i -t pod/realo-66856b59b4-bp27r -- /bin/sh -c 'echo "username: $PG_USERNAME\npassword: $PG_PASSWORD\n"'

Run Code Online (Sandbox Code Playgroud)

输出：

username: postgres\npassword: password

Run Code Online (Sandbox Code Playgroud)

Answer 1

小智 5

你用过

$ echo postgres | base64
cG9zdGdyZXMK

Run Code Online (Sandbox Code Playgroud)

生成您的 Base64 编码秘密。

问题是 echo 在其输出中添加了换行符，您应该这样调用它：

$ echo -n postgres | base64
cG9zdGdyZXM=

Run Code Online (Sandbox Code Playgroud)

您也需要对密码执行相同的操作：

$ echo -n password | base64
cGFzc3dvcmQ=

Run Code Online (Sandbox Code Playgroud)

归档时间：	2 年，9 月前
查看次数：	590 次
最近记录：	2 年，9 月前