kubernetes - kubernetes部署文件在预脚本上注入环境变量(kubernetes deployment file inject environment variables on a pre script)

Question

I have an elixir app connection to postgres using sql proxy

(我使用SQL代理将Elixir应用程序连接到Postgres)

here is my deployment.yaml I deploy on kubernetes and works well,

(这是我的deployment.yaml我在kubernetes上部署并且运行良好，)
the postgres connection password and user name are taken in the image from the environment variables in the yaml

(Postgres连接密码和用户名是从Yaml中的环境变量中获取的图像)

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: my-app
  namespace: production
spec:
  replicas: 1
  revisionHistoryLimit: 1
  strategy:
      type: RollingUpdate
  template:
    metadata:
      labels:
        app: my-app
        tier: backend
    spec:
      securityContext:
        runAsUser: 0
        runAsNonRoot: false
      containers:
      - name: my-app
        image: my-image:1.0.1
        volumeMounts:
        - name: secrets-volume
          mountPath: /secrets
          readOnly: true
        - name: config-volume
          mountPath: /beamconfig
        ports:
        - containerPort: 80
        args:
          - foreground
        env:
        - name: POSTGRES_HOSTNAME
          value: localhost
        - name: POSTGRES_USERNAME
          value: postgres
        - name: POSTGRES_PASSWORD
          value: 123456
        # proxy_container
      - name: cloudsql-proxy
        image: gcr.io/cloudsql-docker/gce-proxy:1.11
        command: ["/cloud_sql_proxy", "--dir=/cloudsql",
            "-instances=my-project:region:my-postgres-instance=tcp:5432",
            "-credential_file=/secrets/cloudsql/credentials.json"]
        volumeMounts:
          - name: cloudsql-instance-credentials
            mountPath: /secrets/cloudsql
            readOnly: true
          - name: cloudsql
            mountPath: /cloudsql
      # volumes
      volumes:
      - name: secrets-volume
        secret:
          secretName: gcloud-json
      - name: cloudsql-instance-credentials
        secret:
          secretName: cloudsql-instance-credentials
      - name: cloudsql
        emptyDir:

now due to security requirements I'd like to put sensitive environments encrypted, and have a script decrypting them

(现在由于安全要求，我想对敏感环境进行加密，并使用脚本对其进行解密)
my yaml file would look like this:

(我的yaml文件如下所示：)

env:
- name: POSTGRES_HOSTNAME
  value: localhost
- name: ENCRYPTED_POSTGRES_USERNAME
  value: hgkdhrkhgrk
- name: ENCRYPTED_POSTGRES_PASSWORD
  value: fkjeshfke

then I have script that would run on all environments with prefix ENCRYPTED_ , will decrypt them and insert the dycrpted value under the environment variable without the ENCRYPTED_ prefix

(然后我有可以在所有带有前缀ENCRYPTED_环境上运行的脚本，它将对其解密并在没有ENCRYPTED_前缀的环境变量下插入dycrpted值)

is there a way to do that?

(有没有办法做到这一点？)
the environments variables should be injected before the image starts running

(应该在映像开始运行之前注入环境变量)
another requirement is that the pod running the image would decrypt the variables - since its the only one which has permissions to do it (working with work load identity) something like:

(另一个要求是运行映像的Pod会解密变量-因为它是唯一有权这样做的变量（使用工作负载标识），例如：)

- command:
 - sh
 - /decrypt_and_inject_environments.sh

  ask by dina translate from so

Answer 1

等待大神答复