zoukankan      html  css  js  c++  java
  • 10 . Kubernetes之Configmap,Secret

    configmap简介

    Configmap和Secret类似,用来存储配置文件的Kubernetes资源对象,所有的配置内容都存储在etcd中.

    配置容器化应用的方式:
    # 1. 自定义命令行参数
    #   args:
    # 2. 把配置文件直接配进镜像
    # 3. 环境变量
    #    1. Cloud Native的应用程序一般可直接通过环境变量加载配置:
    #    2. 通过entrypoint脚本来预处理变量为配置文件中的配置信息:
    # 4. 存储卷
    

    整个configmap放的是多个键值对,减值数据,每个key只代表一个配置信息,参数,一整个配置文件,没有长度限制,我们可以在Pod启动从Configmap某个键获取相关的数据项

    创建ConfigMap

    创建ConfigMap的方式有4种

    # 方式一:  通过直接在命令行中指定configmap参数创建,即--from-literal
    # 方式二:  通过指定文件创建,即将一个配置文件创建为一个ConfigMap, --from-file=<文件>
    # 方式三:  通过指定目录创建,即将一个目录下所有的配置文件创建为一个ConfigMap,--from-file=<目录>
    # 方式四:  事先写好标准的configmap的yaml文件,然后kubectl  create  -f 创建:
    
    # 环境变量注入只要能进入Pod都能被人看见,最好使用存储卷然后权限调给600,只有属主能看见
    
    命令行创建
    kubectl create  configmap nginx-config --from-literal=nginx_port=80 --from-literal=server_name=youmen
    
    kubectl get cm
    NAME           DATA   AGE
    nginx-config   2      8s
    
    kubectl describe cm nginx-config
    Name:         nginx-config
    Namespace:    default
    Labels:       <none>
    Annotations:  <none>
    Data
    ====
    nginx_port:
    ----
    80
    server_name:
    ----
    youmen.com
    Events:  <none>
    
    .conf文件创建
    cat www.conf
    server {
    	server_name myapp.youmen.com;
    	listen 80;
    	root /data/web/html;
    }
    
    kubectl create configmap nginx-www --from-file=./www.conf
    
    kubectl get cm
    NAME           DATA   AGE
    nginx-config   2      3m13s
    nginx-www      1      4s
    
    kubectl describe cm nginx-www
    Name:         nginx-www
    Namespace:    default
    Labels:       <none>
    Annotations:  <none>
    Data
    ====
    www.conf:
    ----
    server {
      server_name myapp.youmen.com;
      listen 80;
      root /data/web/html;
    }
    Events:  <none>
    
    yaml创建
    cat cm-demo1.yaml 
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-cm-1
      namespace: default
      labels:
        app: myapp
        tier: frontend
      annotations:
        youmen.com/created-by: "cluster-admin"
    spec:
      containers:
      - name: myapp
        image: ikubernetes/myapp:v1
        ports:
        - name: http
          containerPort: 80
        env:
        - name: NGINX_SERVER_PORT
          valueFrom:
            configMapKeyRef:
              name: nginx-config
              key: nginx_port
        - name: NGINX_SERVER_NAME
          valueFrom:
            configMapKeyRef:
              name: nginx-config
              key: server_name
    
    kubectl apply -f cm-demo1.yaml
    kubectl exec -it pod-cm-1 /bin/sh
    # 我们用edit修改里面的变量端口号或者域名,但是Pod内部不会刷新,只有创建才能注入进去
    # 或者我们使用存储卷方式
    kubectl edit cm nginx-config
    
    存储卷方式
    Example1
    [root@master storage]# cat pod-configmap-demo.yaml 
    apiVersion: v1
    kind: Pod 
    metadata:
      name: pod-com-2
      namespace: default
      labels:
        app: myapp
        tier: frontend
      annotations:
        youmen.com/created-by: "cluster admin"
    spec:
      containers:
      - name: nginx
        image: daocloud.io/library/nginx
        ports:
        - name: http
          containerPort: 80
        volumeMounts:     
        - name: pv-nginx
          mountPath: /etc/nginx/config.d/
      volumes:
      - name: pv-nginx 
        configMap:
          name: pvc2-nfs 
            
            
    kubectl exec -it pod-com-2 bash
    cat /etc/nginx/config.d/server_name 
    youmen
                       
    cat /etc/nginx/config.d/nginx_port 
    80
    
    ls -l /etc/nginx/config.d/
    total 0
    lrwxrwxrwx 1 root root 16 Dec 25 08:09 nginxport -> ..data/nginxport
    lrwxrwxrwx 1 root root 18 Dec 25 08:09 server_name -> ..data/server_name
    
    # 我们去修改下端口,然后看NginxPod那边呢能不能实时刷新
    kubectl edit cm nginx-conf
    cat /etc/nginx/config.d/nginxport 
    8080
    
    Example2

    我们先生成一个configmap文件

    cat www.conf 
    server {
    	server_name myapp.youmen.com;
    	listen 80;
    	root /etc/nginx/conf.d/default.conf; 
    }
    kubectl create configmap nginx-www --from-file=./www.conf
    

    配置podyaml

    cat pod-configmap-demo3.yaml 
    apiVersion: v1
    kind: Pod 
    metadata:
      name: pod-com-3
      namespace: default
      labels:
        app: myapp
        tier: frontend
      annotations:
        youmen.com/created-by: "cluster admin"
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - name: http
          containerPort: 80
        volumeMounts:     
        - name: cv0
          mountPath: /etc/nginx/conf.d/
      volumes:
      - name: cv0
        configMap:
          name: nginx-www
    
    kubectl exec -it pod-com-3 bash
    
    cat /etc/nginx/conf.d/www.conf 
    server {
    	server_name myapp.youmen.com;
    	listen 80;
    	root /usr/share/nginx/html/; 
    }
    echo "<h1>Nginx Server configured by CM</h1>" > /usr/share/nginx/html/index.html
    

    接下来我们一边访问测试,一边访问

    curl 10.244.1.62
    <h1>Nginx Server configured by CM</h1>
    
    kubectl edit cm nginx-www	# 修改端口为8080
    # 此时Pod里面配置文件已经被修改了,但是监听的端口没有改,需要重新载入一下,才能使监听端口修改
    cat /etc/nginx/conf.d/www.conf 
    server {
    	server_name myapp.youmen.com;
    	listen 8080;
    	root /usr/share/nginx/html/; 
    }
    nginx -s reload
    
    curl 10.244.1.62
    curl: (7) Failed connect to 10.244.1.62:80; Connection refused
    [root@master configmap]# curl 10.244.1.62:8080
    <h1>Nginx Server configured by CM</h1>
    

    与Secret区别

    # 1 . ConfigMap保存的是不需要加密的应用所需的配置信息
    # 2 . ConfigMap的用法几乎与Secret完全相同,可以使用kubectl  create configmap从文件或者目录创建ConfigMap,也可以直接编写ConfigMap对象的YAML文件.
    

    Secret简介

    Secret

    Secret用来保存小片敏感数据的k8s资源、例如密码、token、或者秘钥。这类数据当然也可以存在Pod或者镜像中,但是放在Secret中为了更方便的控制如何使用数据,并减少暴露的风险.

    用户可以创建自己的Secret,系统也会有自己的Secret.

    Pod需要先引用才能使用某个Secret。

    kubectl create secret --help
      docker-registry Create a secret for use with a Docker registry
      generic         Create a secret from a local file, directory or literal value
      tls             Create a TLS secret
    
    Key值创建
    kubectl create secret generic mysql-root-password --from-literal=password=ZHOUjian.20
    
    kubectl get secret
    NAME                    TYPE                                  DATA   AGE
    default-token-j9thc     kubernetes.io/service-account-token   3      6d21h
    mysql-root-password     Opaque                                1      6s
    
    kubectl describe secret mysql-root-password
    Name:         mysql-root-password
    Namespace:    default
    Labels:       <none>
    Annotations:  <none>
    Type:  Opaque
    Data
    ====
    password:  11 bytes
    
    kubectl get secret mysql-root-password -o yaml
    apiVersion: v1
    data:
      password: WkhPVWppYW4uMjA=
    kind: Secret
    metadata:
      creationTimestamp: "2019-12-25T09:02:27Z"
      name: mysql-root-password
      namespace: default
      resourceVersion: "1438552"
      selfLink: /api/v1/namespaces/default/secrets/mysql-root-password
      uid: a1a55f14-86b1-4ada-8050-a8e8ccbdd145
    type: Opaque
    
    # 此处加密并不是绝对安全,能通过base64解密,而且env注入时,你看到是加密的密码,但是Pod里面的环境变量是明文
    echo WkhPVWppYW4uMjA= |base64 -d
    ZHOUjian.20
    
    环境变量注入mysql密码
    cat pod-secret.yaml 
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-secret-1
      namespace: default
      labels:
        app: myapp
        tier: frontend
      annotations:
        youmen.com/create-by: "cluster admin"
    spec:
      containers:
      - name: myapp
        image: ikubernetes/myapp:v1
        ports:
        - name: http
          containerPort: 80
        env:
        - name: MYSQL_ROOT_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysql-root-password
              key: password
    
    kubectl exec pod-secret-1 -- printenv |grep MYSQL_ROOT_PASSWORD
    MYSQL_ROOT_PASSWORD=ZHOUjian.20
    # 环境变量注入只要能进入Pod都能被人看见,最好使用存储卷然后权限调给600,只有属主能看见
    
  • 相关阅读:
    数组以字符串记录(字符串转数组)
    linux下OpenSSL的RSA密钥生成
    php rsa加密解密实例 及签名验证-自己实践
    php rsa加密解密实例
    PHP的openssl加密扩展使用小结
    支付宝开放平台 配置RSA(SHA1)密钥 OpenSSL配置公钥私钥对
    HTTP缓存控制
    java去任意范围的随机数
    (转)Eclipse4.2 Tomcat启动报错 A child container failed during start
    模态框事件介绍
  • 原文地址:https://www.cnblogs.com/you-men/p/13227752.html
Copyright © 2011-2022 走看看