10 . Kubernetes之Configmap,Secret

configmap简介

Configmap和Secret类似,用来存储配置文件的Kubernetes资源对象,所有的配置内容都存储在etcd中.

配置容器化应用的方式:
# 1. 自定义命令行参数
#   args:
# 2. 把配置文件直接配进镜像
# 3. 环境变量
#    1. Cloud Native的应用程序一般可直接通过环境变量加载配置:
#    2. 通过entrypoint脚本来预处理变量为配置文件中的配置信息:
# 4. 存储卷

整个configmap放的是多个键值对,减值数据,每个key只代表一个配置信息,参数,一整个配置文件,没有长度限制,我们可以在Pod启动从Configmap某个键获取相关的数据项

创建ConfigMap

创建ConfigMap的方式有4种

# 方式一:  通过直接在命令行中指定configmap参数创建,即--from-literal
# 方式二:  通过指定文件创建,即将一个配置文件创建为一个ConfigMap, --from-file=<文件>
# 方式三:  通过指定目录创建,即将一个目录下所有的配置文件创建为一个ConfigMap,--from-file=<目录>
# 方式四:  事先写好标准的configmap的yaml文件,然后kubectl  create  -f 创建:

# 环境变量注入只要能进入Pod都能被人看见,最好使用存储卷然后权限调给600,只有属主能看见
命令行创建
kubectl create  configmap nginx-config --from-literal=nginx_port=80 --from-literal=server_name=youmen

kubectl get cm
NAME           DATA   AGE
nginx-config   2      8s

kubectl describe cm nginx-config
Name:         nginx-config
Namespace:    default
Labels:       <none>
Annotations:  <none>
Data
====
nginx_port:
----
80
server_name:
----
youmen.com
Events:  <none>
.conf文件创建
cat www.conf
server {
	server_name myapp.youmen.com;
	listen 80;
	root /data/web/html;
}

kubectl create configmap nginx-www --from-file=./www.conf

kubectl get cm
NAME           DATA   AGE
nginx-config   2      3m13s
nginx-www      1      4s

kubectl describe cm nginx-www
Name:         nginx-www
Namespace:    default
Labels:       <none>
Annotations:  <none>
Data
====
www.conf:
----
server {
  server_name myapp.youmen.com;
  listen 80;
  root /data/web/html;
}
Events:  <none>
yaml创建
cat cm-demo1.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: pod-cm-1
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    youmen.com/created-by: "cluster-admin"
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    env:
    - name: NGINX_SERVER_PORT
      valueFrom:
        configMapKeyRef:
          name: nginx-config
          key: nginx_port
    - name: NGINX_SERVER_NAME
      valueFrom:
        configMapKeyRef:
          name: nginx-config
          key: server_name

kubectl apply -f cm-demo1.yaml
kubectl exec -it pod-cm-1 /bin/sh
# 我们用edit修改里面的变量端口号或者域名,但是Pod内部不会刷新,只有创建才能注入进去
# 或者我们使用存储卷方式
kubectl edit cm nginx-config
存储卷方式
Example1
[root@master storage]# cat pod-configmap-demo.yaml 
apiVersion: v1
kind: Pod 
metadata:
  name: pod-com-2
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    youmen.com/created-by: "cluster admin"
spec:
  containers:
  - name: nginx
    image: daocloud.io/library/nginx
    ports:
    - name: http
      containerPort: 80
    volumeMounts:     
    - name: pv-nginx
      mountPath: /etc/nginx/config.d/
  volumes:
  - name: pv-nginx 
    configMap:
      name: pvc2-nfs 
        
        
kubectl exec -it pod-com-2 bash
cat /etc/nginx/config.d/server_name 
youmen
                   
cat /etc/nginx/config.d/nginx_port 
80

ls -l /etc/nginx/config.d/
total 0
lrwxrwxrwx 1 root root 16 Dec 25 08:09 nginxport -> ..data/nginxport
lrwxrwxrwx 1 root root 18 Dec 25 08:09 server_name -> ..data/server_name

# 我们去修改下端口,然后看NginxPod那边呢能不能实时刷新
kubectl edit cm nginx-conf
cat /etc/nginx/config.d/nginxport 
8080
Example2

我们先生成一个configmap文件

cat www.conf 
server {
	server_name myapp.youmen.com;
	listen 80;
	root /etc/nginx/conf.d/default.conf; 
}
kubectl create configmap nginx-www --from-file=./www.conf

配置podyaml

cat pod-configmap-demo3.yaml 
apiVersion: v1
kind: Pod 
metadata:
  name: pod-com-3
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    youmen.com/created-by: "cluster admin"
spec:
  containers:
  - name: nginx
    image: nginx
    ports:
    - name: http
      containerPort: 80
    volumeMounts:     
    - name: cv0
      mountPath: /etc/nginx/conf.d/
  volumes:
  - name: cv0
    configMap:
      name: nginx-www

kubectl exec -it pod-com-3 bash

cat /etc/nginx/conf.d/www.conf 
server {
	server_name myapp.youmen.com;
	listen 80;
	root /usr/share/nginx/html/; 
}
echo "<h1>Nginx Server configured by CM</h1>" > /usr/share/nginx/html/index.html

接下来我们一边访问测试,一边访问

curl 10.244.1.62
<h1>Nginx Server configured by CM</h1>

kubectl edit cm nginx-www	# 修改端口为8080
# 此时Pod里面配置文件已经被修改了,但是监听的端口没有改,需要重新载入一下,才能使监听端口修改
cat /etc/nginx/conf.d/www.conf 
server {
	server_name myapp.youmen.com;
	listen 8080;
	root /usr/share/nginx/html/; 
}
nginx -s reload

curl 10.244.1.62
curl: (7) Failed connect to 10.244.1.62:80; Connection refused
[root@master configmap]# curl 10.244.1.62:8080
<h1>Nginx Server configured by CM</h1>

与Secret区别

# 1 . ConfigMap保存的是不需要加密的应用所需的配置信息
# 2 . ConfigMap的用法几乎与Secret完全相同,可以使用kubectl  create configmap从文件或者目录创建ConfigMap,也可以直接编写ConfigMap对象的YAML文件.

Secret简介

Secret

Secret用来保存小片敏感数据的k8s资源、例如密码、token、或者秘钥。这类数据当然也可以存在Pod或者镜像中,但是放在Secret中为了更方便的控制如何使用数据,并减少暴露的风险.

用户可以创建自己的Secret,系统也会有自己的Secret.

Pod需要先引用才能使用某个Secret。

kubectl create secret --help
  docker-registry Create a secret for use with a Docker registry
  generic         Create a secret from a local file, directory or literal value
  tls             Create a TLS secret
Key值创建
kubectl create secret generic mysql-root-password --from-literal=password=ZHOUjian.20

kubectl get secret
NAME                    TYPE                                  DATA   AGE
default-token-j9thc     kubernetes.io/service-account-token   3      6d21h
mysql-root-password     Opaque                                1      6s

kubectl describe secret mysql-root-password
Name:         mysql-root-password
Namespace:    default
Labels:       <none>
Annotations:  <none>
Type:  Opaque
Data
====
password:  11 bytes

kubectl get secret mysql-root-password -o yaml
apiVersion: v1
data:
  password: WkhPVWppYW4uMjA=
kind: Secret
metadata:
  creationTimestamp: "2019-12-25T09:02:27Z"
  name: mysql-root-password
  namespace: default
  resourceVersion: "1438552"
  selfLink: /api/v1/namespaces/default/secrets/mysql-root-password
  uid: a1a55f14-86b1-4ada-8050-a8e8ccbdd145
type: Opaque

# 此处加密并不是绝对安全,能通过base64解密,而且env注入时,你看到是加密的密码,但是Pod里面的环境变量是明文
echo WkhPVWppYW4uMjA= |base64 -d
ZHOUjian.20
环境变量注入mysql密码
cat pod-secret.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: pod-secret-1
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    youmen.com/create-by: "cluster admin"
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    env:
    - name: MYSQL_ROOT_PASSWORD
      valueFrom:
        secretKeyRef:
          name: mysql-root-password
          key: password

kubectl exec pod-secret-1 -- printenv |grep MYSQL_ROOT_PASSWORD
MYSQL_ROOT_PASSWORD=ZHOUjian.20
# 环境变量注入只要能进入Pod都能被人看见,最好使用存储卷然后权限调给600,只有属主能看见
posted @ 2020-07-02 23:04  常见-youmen  阅读(511)  评论(0编辑  收藏  举报