My Kubernetes Deployment 是这样编写的:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: "{{ .Release.Name }}-{{ .Values.web.service.name }}"
namespace: "{{ .Values.namespace }}"
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
name: "{{ .Values.web.deployment.selector }}"
template:
metadata:
labels:
name: "{{ .Values.web.deployment.selector }}"
spec:
{{- if $.Values.vault.serviceAccount }}
serviceAccountName: "{{ $.Release.Name }}-vault-auth"
automountServiceAccountToken: true
{{- end }}
volumes:
- name: shared-data
emptyDir: {}
- name: vault-token
emptyDir:
medium: Memory
- name: company-config
configMap:
name: "{{ .Release.Name }}-config"
items:
- key: companyRootCA.crt
path: companyRootCA.crt
- name: vault-consul-config
configMap:
name: "{{ .Release.Name }}-vault-configmap"
items:
- key: vault_agent.hcl
path: vault_agent.hcl
- key: consul_template_config.hcl
path: consul_template_config.hcl
- key: config.tmpl
path: config.tmpl
containers:
- name: vault-agent-auth
image: vault
volumeMounts:
- name: company-config
mountPath: /etc/pki/ca-trust/source/anchors/companyRootCA.crt
subPath: companyRootCA.crt
- name: vault-consul-config
mountPath: /etc/vault/vault_agent.hcl
subPath: vault_agent.hcl
- name: vault-token
mountPath: /home/vault/
env:
- name: VAULT_ADDR
value: "{{ .Values.vault.endpoint }}"
- name: VAULT_NAMESPACE
value: "company/devops/tarchon/{{ .Values.environmentName }}"
args:
[
"agent",
"-config=/etc/vault/vault_agent.hcl",
"-log-level=debug"
]
- name: consul-template
image: hashicorp/consul-template:alpine
imagePullPolicy: Always
volumeMounts:
- name: company-config
mountPath: /etc/pki/ca-trust/source/anchors/companyRootCA.crt
subPath: companyRootCA.crt
- name: vault-consul-config
mountPath: /etc/consul-template/consul_template_config.hcl
subPath: consul_template_config.hcl
- name: vault-token
mountPath: /home/vault
- name: vault-consul-config
mountPath: /etc/templates/config.tmpl
subPath: config.tmpl
- name: shared-data
mountPath: /etc/secrets
env:
- name: HOME
value: /home/vault
- name: VAULT_ADDR
value: "{{ .Values.vault.endpoint }}"
- name: VAULT_NAMESPACE
value: "company/devops/tarchon/{{ .Values.environmentName }}"
args:
[
"-config=/etc/consul-template/consul_template_config.hcl",
"-log-level=trace",
]
- name: "{{ .Values.web.service.name }}"
image: "{{ .Values.image.registry }}:{{ .Values.image.tag }}"
imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
args: [
"bash",
"-c",
"python manage.py collectstatic --noinput && gunicorn --bind :8000 --workers 3 ecops_cross_team_platform_backend.wsgi:application"
]
volumeMounts:
- name: shared-data
mountPath: /usr/src/app/config.json
subPath: config.json
{{- if $.Values.environmentVariables }}
env:
{{- range $key, $value := $.Values.environmentVariables }}
- name: {{ $key }}
valueFrom:
configMapKeyRef:
name: "{{ $.Release.Name }}-config"
key: {{ $key | quote }}
{{- end }}
{{- end }}
ports:
- containerPort: {{ .Values.web.service.port }}
resources: {}
restartPolicy: Always
status: {}
consul-template会生成一个文件/etc/secrets/config.json,其中包含来自共享卷shared-data中的 HashiCorp Vault 的凭据。
在我的应用程序容器中,我将文件绑定在不同的目录(/usr/src/app/config.json((因为应用程序希望文件位于不同的目录中,而不是consul-template生成文件的位置(。
问题是,每当文件config.json在装载在consul-template容器中的卷中更新时,修改都不会传播到其他容器,因此我最终会让应用程序容器包含过时的非工作数据。
一开始,我最初认为这是由readOnlyvolumeMount 选项引起的问题,但是删除它后问题仍然存在。
正如 anmol 在评论中所说,这确实是使用目录中的subPath绑定单个文件的事实。
解决方案是删除 subPath 并将shared-data卷绑定到单作用域文件夹(即。/usr/src/app/credentials(,这样其他事情就不会出错。
溶液:
volumeMounts:
- name: shared-data
mountPath: /usr/src/app/credentials
而不是:
volumeMounts:
- name: shared-data
mountPath: /usr/src/app/config.json
subPath: config.json