Merge pull request #52148 from windsonsea/envfil

[zh] Add 2025-09-01-introducing-env-files/

Author: k8s-ci-robot

content/zh-cn/blog/_posts/2025-09-01-introducing-env-files/index.md

@@ -0,0 +1,150 @@
+---
+layout: blog
+title: "Kubernetes v1.34: 使用 Init 容器定义应用环境变量"
+date: 2025-09-01
+slug: kubernetes-v1-34-env-files
+author: >
+  HirazawaUi
+translator: Michael Yao (DaoCloud)
+---
+<!--
+layout: blog
+title: "Kubernetes v1.34: Use An Init Container To Define App Environment Variables"
+date: 2025-09-01
+draft: true
+slug: kubernetes-v1-34-env-files
+author: >
+  HirazawaUi
+-->
+
+<!--
+Kubernetes typically uses ConfigMaps and Secrets to set environment variables,
+which introduces additional API calls and complexity,
+For example, you need to separately manage the Pods of your workloads 
+and their configurations, while ensuring orderly 
+updates for both the configurations and the workload Pods.
+
+Alternatively, you might be using a vendor-supplied container 
+that requires environment variables (such as a license key or a one-time token),
+but you don’t want to hard-code them or mount volumes just to get the job done.
+-->
+Kubernetes 通常使用 ConfigMap 和 Secret 来设置环境变量，
+这会引入额外的 API 调用和复杂性。例如，你需要分别管理工作负载的 Pod 和它们的配置，
+同时还要确保配置和工作负载 Pod 的有序更新。
+
+另外，你可能在使用一个供应商提供的、需要环境变量（例如许可证密钥或一次性令牌）的容器，
+但你又不想对这些变量进行硬编码，或者仅仅为了完成工作而挂载卷。
+
+<!--
+If that's the situation you are in, you now have a new (alpha) way to
+achieve that. Provided you have the `EnvFiles`
+[feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
+enabled across your cluster, you can tell the kubelet to load a container's
+environment variables from a volume (the volume must be part of the Pod that
+the container belongs to).
+this feature gate allows you to load environment variables directly from a file in an emptyDir volume
+without actually mounting that file into the container.
+It’s a simple yet elegant solution to some surprisingly common problems.
+-->
+如果你正面对这种情况，现在有一种新的（Alpha）方式来实现。只要你在集群中启用了 `EnvFiles`
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)，
+你就可以告诉 kubelet 从一个卷中加载容器的环境变量（此卷必须是容器所属的 Pod）。
+这个特性门控允许你直接从 `emptyDir` 卷中的文件加载环境变量，而不需要将该文件实际挂载到容器中。
+这是一个简单而优雅的解决方案，可以应对一些出乎意料的常见问题。
+
+<!--
+## What’s this all about?
+At its core, this feature allows you to point your container to a file,
+one generated by an `initContainer`,
+and have Kubernetes parse that file to set your environment variables.
+The file lives in an `emptyDir` volume (a temporary storage space that lasts as long as the pod does),
+Your main container doesn’t need to mount the volume.
+The kubelet will read the file and inject these variables when the container starts.
+-->
+## 特性概述  {#what-s-this-all-about}
+
+从核心上来说，这个特性允许你将容器指向一个文件，该文件由 `initContainer` 生成，
+然后让 Kubernetes 解析该文件以设置你的环境变量。此文件位于一个 `emptyDir`
+卷中（这是一种临时存储空间，只要 Pod 存在就会保留），你的主容器不需要挂载此卷。
+kubelet 会在容器启动时读取文件并注入这些变量。
+
+<!--
+## How It Works
+Here's a simple example:
+-->
+## 工作原理  {#how-it-works}
+
+这里有一个简单的例子：
+
+```yaml
+apiVersion: v1
+kind: Pod
+spec:
+  initContainers:
+  - name: generate-config
+    image: busybox
+    command: ['sh', '-c', 'echo "CONFIG_VAR=HELLO" > /config/config.env']
+    volumeMounts:
+    - name: config-volume
+      mountPath: /config
+  containers:
+  - name: app-container
+    image: gcr.io/distroless/static
+    env:
+    - name: CONFIG_VAR
+      valueFrom:
+        fileKeyRef:
+          path: config.env
+          volumeName: config-volume
+          key: CONFIG_VAR
+  volumes:
+  - name: config-volume
+    emptyDir: {}
+```
+
+<!--
+Using this approach is a breeze.
+You define your environment variables in the pod spec using the `fileKeyRef` field,
+which tells Kubernetes where to find the file and which key to pull.
+The file itself resembles the standard for .env syntax (think KEY=VALUE),
+and (for this alpha stage at least) you must ensure that it is written into
+an `emptyDir` volume. Other volume types aren't supported for this feature.
+At least one init container must mount that `emptyDir` volume (to write the file),
+but the main container doesn’t need to—it just gets the variables handed to it at startup.
+-->
+使用这种方法非常简单。你在 Pod 规约中使用 `fileKeyRef` 字段定义环境变量，
+此字段告诉 Kubernetes 去哪里找到文件以及要提取哪个键。
+此文件本身类似于 `.env` 语法的标准格式（即 `KEY=VALUE`），
+并且（至少在这个 Alpha 阶段）你必须确保它被写入到一个 `emptyDir` 卷中。
+其他类型的卷在此特性中不受支持。至少有一个 Init 容器必须挂载该 `emptyDir` 卷（以写入文件），
+但主容器不需要挂载它——它在启动时就能直接获取这些变量。
+
+<!--
+## A word on security
+While this feature supports handling sensitive data such as keys or tokens, 
+note that its implementation relies on `emptyDir` volumes mounted into pod.
+Operators with node filesystem access could therefore 
+easily retrieve this sensitive data through pod directory paths.
+
+If storing sensitive data like keys or tokens using this feature,
+ensure your cluster security policies effectively protect nodes
+against unauthorized access to prevent exposure of confidential information.
+-->
+## 关于安全性  {#a-word-on-security}
+
+虽然此特性支持处理密钥或令牌等敏感数据，但需要注意它的实现依赖于挂载到 Pod 的 `emptyDir` 卷。
+具有节点文件系统访问权限的操作人员因此可以通过 Pod 目录路径轻易获取这些敏感数据。
+
+如果使用此特性存储密钥或令牌等敏感数据，确保你的集群安全策略能够有效保护节点免受未经授权的访问，
+以防止机密信息泄露。
+
+<!--
+## Summary
+This feature will eliminate a number of complex workarounds used today, simplifying
+apps authoring, and opening doors for more use cases. Kubernetes stays flexible and
+open for feedback. Tell us how you use this feature or what is missing.
+-->
+## 总结 {#summary}
+
+此特性将消除如今使用的许多复杂变通方法，简化应用编写，并为更多使用场景打开大门。
+Kubernetes 保持灵活性，欢迎反馈。请告诉我们你是如何使用这个特性的，或者此特性还缺少什么。