用服务帐户或其他方式安装client.crt、client.key、ca.crt？

Question

以前是否有人使用服务帐户从正在运行的作业中挂载ssl证书来访问aws集群？我们该怎么做？我创建了作业，这是来自失败容器的输出，导致Pod处于错误状态。

Error in configuration:
* unable to read client-cert /client.crt for test-user due to open /client.crt: no such file or directory
* unable to read client-key /client.key for test-user due to open /client.key: no such file or directory
* unable to read certificate-authority /ca.crt for test-cluster due to open /ca.crt: no such file or director

Answer 1

解决方案是创建一个包含证书的Secret，然后让作业引用它。

步骤1.创建秘密：

kubectl create secret generic job-certs --from-file=client.crt --from-file=client.key --from-file=ca.crt

步骤2.作业清单中的引用秘密。您必须在作业中插入volumes和volumeMounts。

spec:
  volumes:
  - name: ssl
    secret:
      secretName: job-certs
  containers:
    volumeMounts:
    - mountPath: "/etc/ssl"
      name: "ssl"