Configmap&Secret使用小技巧
一、使用subpath解决挂载覆盖的问题
1.1 问题描述
当我们创建deploy等资源时,如果需要将某个配置文件挂载至pod中,但是pod的文件夹下又有很多其他的文件,如果直接填写挂载文件夹,则会导致目录被覆盖!
nginx.conf配置文件在/etc/nginx目录下,如果在deploy等资源的yaml文件中,volume配置的路径为/etc/nginx,那么pod中/etc/nginx目录下的其他文件则会被覆盖,仅有configmap中配置的文件!
准备nginx配置文件:
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 512; # 由原本的1024修改为512
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
根据nginx.conf创建configmap!
$ kubectl create cm nginx-conf --from-file=nginx.conf
在dpeloy资源的yaml文件中,修改mountPath!
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-mount
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: 192.168.99.181:5000/wod/nginx:1.15.1
name: nginx
# 使用新建的configmap挂载至pod中/etc/nginx目录下替换原有的nginx.conf
volumeMounts:
- name: conf
mountPath: /etc/nginx/
volumes:
- name: conf
configMap:
name: nginx-conf
创建资源,查看效果!
$ kubectl apply -f nginx-deploy.yaml
$ kubectl logs -f nginx-mount-f8c96c9ff-xb9tk
2021/12/29 09:35:00 [emerg] 1#1: open() "/etc/nginx/mime.types" failed (2: No such file or directory) in /etc/nginx/nginx.conf:14
nginx: [emerg] open() "/etc/nginx/mime.types" failed (2: No such file or directory) in /etc/nginx/nginx.conf:1
根据报错信息可以看到,pod在启动的时候缺少文件!
1.2 问题解决
在mountPath中配置要挂载的文件名,下方增加节点subPath,填写要挂载的文件名!
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-mount
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: 192.168.99.181:5000/wod/nginx:1.15.1
name: nginx
# 以文件的形式挂载这一个文件
volumeMounts:
- name: conf
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
volumes:
- name: conf
configMap:
name: nginx-conf
修改yaml文件后进行资源重建替换!
$ kubectl replace -f nginx-deploy.yaml
$ kubectl get pod
NAME READY STATUS RESTARTS AGE
nginx-mount-5fb55b894c-2zdxr 1/1 Running 0 98s
登录进新建pod资源中查看配置文件挂载路径!
$ kubectl exec nginx-mount-5fb55b894c-2zdxr -- cat /etc/nginx/nginx.conf
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 512; # 由原本的1024修改为512
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
二、设置不可变Configmap&Secret
从 v1.19 开始,你可以添加一个 immutable
字段到 ConfigMap 定义中,创建不可变更的 ConfigMap!
当我们创建的ConfigMap或者Secret后,如果不希望他们可以被修改,那么可以在yaml文件中添加如下参数:
immutable: true
apiVersion: v1
data:
redis.conf: |
port 6379
bind 127.0.0.1
immutable: true # 添加该字段
kind: ConfigMap
metadata:
name: redis-conf
当我们再次进去编辑,修改其中的配置时,则会提示配置文件不可修改!
两种解决方法:
-
使用:q!强制退出,取消修改
-
如果要修改,只有取消immutable的设置
三、Configmap&Secret热更新
注意:
使用ConfigMap或Secret时需要提前进行创建
- 使用时,对应的key必须是存在的,否则会报错
- 使用envFrom、valueFrom时,无法热更新环境变量
- 使用envFrom配置环境变量时,如果key是无效的,那么会忽略掉无效的key
- ConfigMap和Secret必须要和Pod或者是引用它的资源在同一个namespace下
- 如果使用了subPath也是无法热更新的
- ConfigMap和Secret最好不要太大
*************** 当你发现自己的才华撑不起野心时,就请安静下来学习吧!***************