kubernetes之十一: Secret 使用

Secret 使用类似于 ConfigMap,支持两种形式的使用:

  • 将 Secret 作为环境变量暴露给容器进程使用。
  • 将 Secret 通过volume 数据卷提供给容器进程使用。

为啥还要 Secret?

Secret 顾名思义,是用于存储加密数据的

[root@master01 template]# kubectl create secret
Create a secret using specified subcommand.

Available Commands:
  docker-registry Create a secret for use with a Docker registry
  generic         Create a secret from a local file, directory or literal value
  tls             Create a TLS secret

 

案例1: 创建通用的secret

kubectl create secret generic nginx-ssl --from-file=ca.key
--from-file=ca.cert

 

案例2: 创建docker-registry

 

kubectl create secret docker-registry my-secret --docker-server=192.168.31.112  --docker-username=admin  --docker-password=123456 
--docker-email=it@aa.com -n test

 

案例3: 创建tls的secret

openssl genrsa -out rest.key 2048

openssl req -new -x509 -key rest.key -out rest.crt -subj /C=CN/ST=Beijing/L=Biejing/O=DevOpes/CN=restapi.aa.com kubectl create secret tls --cert=rest.crt --key=rest.key

  

挂载方式

1)通过环境变量的方式

apiVersion: v1
kind: Pod
metadata:
  name: secret1-pod
spec:
  containers:
  - name: secret1
    image: busybox
    command: [ "/bin/sh", "-c", "env" ]
    env:
    - name: USERNAME
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: username

    - name: PASSWORD
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: password

 

[root@k8s-master01 ~]# kubectl create secret generic shibo-secret --from-file=./username.txt --from-file=./password.txt    



apiVersion: v1
kind: Pod
metadata:
  name: secret-env-pod
spec:
  containers:
  - name: mycontainer
    image: redis
    env:
      - name: SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: shibo-secret
            key: username
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: shibo-secret
            key: password
  restartPolicy: Never

  

 

2)通过volumemount挂载

   volumeMounts:
      - mountPath: /home/nginx/nginx/conf/cert/
        name: nginx-ssl
volumes:
   - name: nginx-ssl
     secret:
        secretName: nginx-ssl
apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mypod
    image: redis
    volumeMounts:
    - name: data
      mountPath: "/etc/data"
      readOnly: true
  volumes:
  - name: data
    secret:
      secretName: shibo-secret
      items:
      - key: username
        path: my-group/my-username


需要注意,在这种情况下:
username 存储在 /etc/data/my-group/my-username中

  

  

 

 

 

posted @ 2020-08-13 00:20  个人成长之路  阅读(385)  评论(0编辑  收藏  举报