我正在尝试将 kubernetes secret 值映射到环境变量。我的 secret 如下图
apiVersion: v1
kind: Secret
metadata:
name: test-secret
type: opaque
data:
tls.crt: {{ required "A valid value is required for tls.crt" .Values.tlscrt }}
将 key 映射到部署 yaml 中的环境变量
env:
- name: TEST_VALUE
valueFrom:
secretKeyRef:
name: test-secret
key: tls.crt
当我安装 helm 时,该值会被映射。但是,当我进行 Helm Upgrade 时,更改的值不会反射(reflect)在环境变量中,它仍然具有旧值。有人可以帮忙吗?
最佳答案
如果configMap用于存储pod环境变量
ConfigMaps consumed as environment variables are not updated automatically and require a pod restart.
有一些方法可以在 configMap 更改时自动重新启动 Pod,请参阅此处的示例:Helm chart restart pods when configmap changes
如果 configMap 作为文件挂载
在这种情况下,pod 应该会看到更新,尽管有一些延迟:
When a ConfigMap currently consumed in a volume is updated, projected keys are eventually updated as well. The kubelet checks whether the mounted ConfigMap is fresh on every periodic sync. However, the kubelet uses its local cache for getting the current value of the ConfigMap. The type of the cache is configurable using the
configMapAndSecretChangeDetectionStrategyfield in the KubeletConfiguration struct. A ConfigMap can be either propagated by watch (default), ttl-based, or by redirecting all requests directly to the API server. As a result, the total delay from the moment when the ConfigMap is updated to the moment when new keys are projected to the Pod can be as long as the kubelet sync period + cache propagation delay, where the cache propagation delay depends on the chosen cache type (it equals to watch propagation delay, ttl of cache, or zero correspondingly).
引用自https://kubernetes.io/docs/concepts/configuration/configmap/#mounted-configmaps-are-updated-automatically (感谢@jeremysprofile)
关于从 secret 映射时,Kubernetes pod 环境变量未更新,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/67875396/