10 . Kubernetes之Configmap,Secret
configmap简介
Configmap和Secret类似,用来存储配置文件的Kubernetes资源对象,所有的配置内容都存储在etcd中.
配置容器化应用的方式:
# 1. 自定义命令行参数
# args:
# 2. 把配置文件直接配进镜像
# 3. 环境变量
# 1. Cloud Native的应用程序一般可直接通过环境变量加载配置:
# 2. 通过entrypoint脚本来预处理变量为配置文件中的配置信息:
# 4. 存储卷
整个configmap放的是多个键值对,减值数据,每个key只代表一个配置信息,参数,一整个配置文件,没有长度限制,我们可以在Pod启动从Configmap某个键获取相关的数据项
创建ConfigMap
创建ConfigMap的方式有4种
# 方式一: 通过直接在命令行中指定configmap参数创建,即--from-literal
# 方式二: 通过指定文件创建,即将一个配置文件创建为一个ConfigMap, --from-file=<文件>
# 方式三: 通过指定目录创建,即将一个目录下所有的配置文件创建为一个ConfigMap,--from-file=<目录>
# 方式四: 事先写好标准的configmap的yaml文件,然后kubectl create -f 创建:
# 环境变量注入只要能进入Pod都能被人看见,最好使用存储卷然后权限调给600,只有属主能看见
命令行创建
kubectl create configmap nginx-config --from-literal=nginx_port=80 --from-literal=server_name=youmen
kubectl get cm
NAME DATA AGE
nginx-config 2 8s
kubectl describe cm nginx-config
Name: nginx-config
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
nginx_port:
----
80
server_name:
----
youmen.com
Events: <none>
.conf文件创建
cat www.conf
server {
server_name myapp.youmen.com;
listen 80;
root /data/web/html;
}
kubectl create configmap nginx-www --from-file=./www.conf
kubectl get cm
NAME DATA AGE
nginx-config 2 3m13s
nginx-www 1 4s
kubectl describe cm nginx-www
Name: nginx-www
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
www.conf:
----
server {
server_name myapp.youmen.com;
listen 80;
root /data/web/html;
}
Events: <none>
yaml创建
cat cm-demo1.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-cm-1
namespace: default
labels:
app: myapp
tier: frontend
annotations:
youmen.com/created-by: "cluster-admin"
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
env:
- name: NGINX_SERVER_PORT
valueFrom:
configMapKeyRef:
name: nginx-config
key: nginx_port
- name: NGINX_SERVER_NAME
valueFrom:
configMapKeyRef:
name: nginx-config
key: server_name
kubectl apply -f cm-demo1.yaml
kubectl exec -it pod-cm-1 /bin/sh
# 我们用edit修改里面的变量端口号或者域名,但是Pod内部不会刷新,只有创建才能注入进去
# 或者我们使用存储卷方式
kubectl edit cm nginx-config
存储卷方式
Example1
[root@master storage]# cat pod-configmap-demo.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-com-2
namespace: default
labels:
app: myapp
tier: frontend
annotations:
youmen.com/created-by: "cluster admin"
spec:
containers:
- name: nginx
image: daocloud.io/library/nginx
ports:
- name: http
containerPort: 80
volumeMounts:
- name: pv-nginx
mountPath: /etc/nginx/config.d/
volumes:
- name: pv-nginx
configMap:
name: pvc2-nfs
kubectl exec -it pod-com-2 bash
cat /etc/nginx/config.d/server_name
youmen
cat /etc/nginx/config.d/nginx_port
80
ls -l /etc/nginx/config.d/
total 0
lrwxrwxrwx 1 root root 16 Dec 25 08:09 nginxport -> ..data/nginxport
lrwxrwxrwx 1 root root 18 Dec 25 08:09 server_name -> ..data/server_name
# 我们去修改下端口,然后看NginxPod那边呢能不能实时刷新
kubectl edit cm nginx-conf
cat /etc/nginx/config.d/nginxport
8080
Example2
我们先生成一个configmap文件
cat www.conf
server {
server_name myapp.youmen.com;
listen 80;
root /etc/nginx/conf.d/default.conf;
}
kubectl create configmap nginx-www --from-file=./www.conf
配置podyaml
cat pod-configmap-demo3.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-com-3
namespace: default
labels:
app: myapp
tier: frontend
annotations:
youmen.com/created-by: "cluster admin"
spec:
containers:
- name: nginx
image: nginx
ports:
- name: http
containerPort: 80
volumeMounts:
- name: cv0
mountPath: /etc/nginx/conf.d/
volumes:
- name: cv0
configMap:
name: nginx-www
kubectl exec -it pod-com-3 bash
cat /etc/nginx/conf.d/www.conf
server {
server_name myapp.youmen.com;
listen 80;
root /usr/share/nginx/html/;
}
echo "<h1>Nginx Server configured by CM</h1>" > /usr/share/nginx/html/index.html
接下来我们一边访问测试,一边访问
curl 10.244.1.62
<h1>Nginx Server configured by CM</h1>
kubectl edit cm nginx-www # 修改端口为8080
# 此时Pod里面配置文件已经被修改了,但是监听的端口没有改,需要重新载入一下,才能使监听端口修改
cat /etc/nginx/conf.d/www.conf
server {
server_name myapp.youmen.com;
listen 8080;
root /usr/share/nginx/html/;
}
nginx -s reload
curl 10.244.1.62
curl: (7) Failed connect to 10.244.1.62:80; Connection refused
[root@master configmap]# curl 10.244.1.62:8080
<h1>Nginx Server configured by CM</h1>
与Secret区别
# 1 . ConfigMap保存的是不需要加密的应用所需的配置信息
# 2 . ConfigMap的用法几乎与Secret完全相同,可以使用kubectl create configmap从文件或者目录创建ConfigMap,也可以直接编写ConfigMap对象的YAML文件.
Secret简介
Secret
Secret用来保存小片敏感数据的k8s资源、例如密码、token、或者秘钥。这类数据当然也可以存在Pod或者镜像中,但是放在Secret中为了更方便的控制如何使用数据,并减少暴露的风险.
用户可以创建自己的Secret,系统也会有自己的Secret.
Pod需要先引用才能使用某个Secret。
kubectl create secret --help
docker-registry Create a secret for use with a Docker registry
generic Create a secret from a local file, directory or literal value
tls Create a TLS secret
Key值创建
kubectl create secret generic mysql-root-password --from-literal=password=ZHOUjian.20
kubectl get secret
NAME TYPE DATA AGE
default-token-j9thc kubernetes.io/service-account-token 3 6d21h
mysql-root-password Opaque 1 6s
kubectl describe secret mysql-root-password
Name: mysql-root-password
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password: 11 bytes
kubectl get secret mysql-root-password -o yaml
apiVersion: v1
data:
password: WkhPVWppYW4uMjA=
kind: Secret
metadata:
creationTimestamp: "2019-12-25T09:02:27Z"
name: mysql-root-password
namespace: default
resourceVersion: "1438552"
selfLink: /api/v1/namespaces/default/secrets/mysql-root-password
uid: a1a55f14-86b1-4ada-8050-a8e8ccbdd145
type: Opaque
# 此处加密并不是绝对安全,能通过base64解密,而且env注入时,你看到是加密的密码,但是Pod里面的环境变量是明文
echo WkhPVWppYW4uMjA= |base64 -d
ZHOUjian.20
环境变量注入mysql密码
cat pod-secret.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-secret-1
namespace: default
labels:
app: myapp
tier: frontend
annotations:
youmen.com/create-by: "cluster admin"
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-root-password
key: password
kubectl exec pod-secret-1 -- printenv |grep MYSQL_ROOT_PASSWORD
MYSQL_ROOT_PASSWORD=ZHOUjian.20
# 环境变量注入只要能进入Pod都能被人看见,最好使用存储卷然后权限调给600,只有属主能看见