From c652f4845f2a7cae8b82a5bf32ed8496c86f464d Mon Sep 17 00:00:00 2001 From: Denis Patrakeev Date: Tue, 4 Mar 2025 15:01:13 +0300 Subject: [PATCH] [hotfix] fix config postgres_exporter 10 (!90) Co-authored-by: denis.patrakeev Reviewed-on: https://git.avroid.tech/K8s/k8s-configs/pulls/90 --- README.md | 28 ++++++++++++++++++- .../postgres-exporter/values-override.yaml | 16 +++++------ 2 files changed, 35 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 27593ed..144d350 100644 --- a/README.md +++ b/README.md @@ -91,7 +91,7 @@ spec: containers: - name: alpine image: alpine - command: ["sh", "-c", "echo ${FOO} && echo going to sleep... && sleep 10000"] + command: ["sh", "-c", "echo ${FOO} && echo ${FOO_1} && echo going to sleep... && sleep 10000"] resources: requests: cpu: 50m @@ -102,6 +102,11 @@ spec: env: # вариант когда секрет будет в переменную окружения - name: FOO # переменная окружения куда попадет секрет value: vault:sandbox/data/k8s/vault-test#FOO # путь до секрета + - name: FOO_1 # пример задания переменной окружения из секретв + valueFrom: + secretKeyRef: + name: vault-test-secret + key: FOO_1 --- # вариант когда секрет нужно поместить в файл конфигурации приложения apiVersion: v1 @@ -127,4 +132,25 @@ data: destination = "/vault/secrets/config.yaml" # тут указан конечный файл конфигурации вашего приложения } EOF +--- +apiVersion: v1 +kind: Secret +metadata: + name: vault-test-secret + namespace: sandbox + annotations: + vault.security.banzaicloud.io/vault-addr: "https://vault.avroid.tech" + vault.security.banzaicloud.io/vault-role: "sandbox" + vault.security.banzaicloud.io/vault-skip-verify: "false" + vault.security.banzaicloud.io/vault-path: "avroid-office" +type: Opaque +data: + FOO_1: dmF1bHQ6c2FuZGJveC9kYXRhL2s4cy92YXVsdC10ZXN0I0ZPTw== +``` + +В секрете строку с адресом секрета Bank Vault необходимо преобразовать в base64, это делается следующим образом: +```bash +# !!ВАЖНО!! +# ключ "-n" необходимо при преобразования для того чтобы в конце отсечь лишний символ перевода строки +echo -n "vault:sandbox/data/k8s/vault-test#FOO" | base64 ``` diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/cloud-prod/monitoring/postgres-exporter/values-override.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/cloud-prod/monitoring/postgres-exporter/values-override.yaml index fe1ccc2..d770eb8 100644 --- a/clusters/k8s-avroid-office.prod.local/namespaces/cloud-prod/monitoring/postgres-exporter/values-override.yaml +++ b/clusters/k8s-avroid-office.prod.local/namespaces/cloud-prod/monitoring/postgres-exporter/values-override.yaml @@ -21,14 +21,6 @@ serviceAccount: # If not set and create is true, a name is generated using the fullname template name: vault -# The securityContext of the pod. -# See https://kubernetes.io/docs/concepts/policy/security-context/ for more. -podSecurityContext: [] - -# The securityContext of the container. -# See https://kubernetes.io/docs/concepts/policy/security-context/ for more. -securityContext: [] - config: ## The datasource properties on config are passed through helm tpl function. ## ref: https://helm.sh/docs/developing_charts/#using-the-tpl-function @@ -62,6 +54,10 @@ annotations: vault.security.banzaicloud.io/vault-role: "cloud-prod" vault.security.banzaicloud.io/vault-skip-verify: "false" vault.security.banzaicloud.io/vault-path: "avroid-office" + vault.security.banzaicloud.io/run-as-non-root: "true" + vault.security.banzaicloud.io/run-as-user: "1001" + vault.security.banzaicloud.io/run-as-group: "1001" + vault.security.banzaicloud.io/readonly-root-fs: "true" # Labels and annotations to attach to the deployment resource deployment: @@ -70,3 +66,7 @@ deployment: vault.security.banzaicloud.io/vault-role: "cloud-prod" vault.security.banzaicloud.io/vault-skip-verify: "false" vault.security.banzaicloud.io/vault-path: "avroid-office" + vault.security.banzaicloud.io/run-as-non-root: "true" + vault.security.banzaicloud.io/run-as-user: "1001" + vault.security.banzaicloud.io/run-as-group: "1001" + vault.security.banzaicloud.io/readonly-root-fs: "true"