kubernetes ConfigMap and Secret

ConfigMap 和 Secret 是 Kubernetes 系统上两种特殊类型的存储卷,ConfigMap 对象用于为容器中的应用提供配置数据以定制程序的行为,不过敏感的配置信息,例如密钥、证书等通常由 Secret 对象来进行配置,它们将相应的配置信息保存于对象中,而后在 Pod 资源上以存储卷的形式将其挂载并获取相关的配置,以实现配置与镜像文件的解耦

ConfigMap

配置中心的角色,使得可以注入到 pod 中在 pod 启动或让 pod 挂载,得以实现动态修改配置,但 ConfigMap 是明文存储的

Secret

与 ConfigMap 功能相同,唯一不同的是配置使用 base64 加密的,此外 Secret 有三种类型

• docker-registry: 当 kubelet 向 docker 仓库拉取镜像时的认证信息必须存储在这类 Secret 中,pod 创建时则通过 pod.spec.imagePullSecrets 来指定 secret
• generic: 通用
• tls: 存储证书

valueFrom 模板

[root@master-0 volume]# kubectl explain pod.spec.containers.env.valueFrom
KIND:     Pod
VERSION:  v1

RESOURCE: valueFrom <Object>

DESCRIPTION:
     Source for the environment variable's value. Cannot be used if value is not
     empty.

     EnvVarSource represents a source for the value of an EnvVar.

FIELDS:
   configMapKeyRef <Object>     #  configmap 键值对,值长度没有限制
     Selects a key of a ConfigMap.

   fieldRef <Object>            # 某个字段,比如引用当前 pod 的 metadata.name... ...
     Selects a field of the pod: supports metadata.name, metadata.namespace,
     metadata.labels, metadata.annotations, spec.nodeName,
     spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

   resourceFieldRef <Object>   # 资源需求和资源限制
     Selects a resource of the container: only resources limits and requests
     (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu,
     requests.memory and requests.ephemeral-storage) are currently supported.

   secretKeyRef <Object>       # secret 键值对,值长度没有限制
     Selects a key of a secret in the pod's namespace

创建 configMapKeyRef

1. 创建 cm 的资源清单

   [root@master-0 volume]# kubectl explain cm
   KIND:     ConfigMap
   VERSION:  v1
   
   DESCRIPTION:
       ConfigMap holds configuration data for pods to consume.
   
   FIELDS:
   apiVersion <string>
       APIVersion defines the versioned schema of this representation of an
       object. Servers should convert recognized schemas to the latest internal
       value, and may reject unrecognized values. More info:
       https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
   
   binaryData <map[string]string>   # 二进制格式的数据
       BinaryData contains the binary data. Each key must consist of alphanumeric
       characters, '-', '_' or '.'. BinaryData can contain byte sequences that are
       not in the UTF-8 range. The keys stored in BinaryData must not overlap with
       the ones in the Data field, this is enforced during validation process.
       Using this field will require 1.10+ apiserver and kubelet.
   
   data <map[string]string>         # 映射,多个键值组成的哈希
       Data contains the configuration data. Each key must consist of alphanumeric
       characters, '-', '_' or '.'. Values with non-UTF-8 byte sequences must use
       the BinaryData field. The keys stored in Data must not overlap with the
       keys in the BinaryData field, this is enforced during validation process.
   
   immutable <boolean>
       Immutable, if set to true, ensures that data stored in the ConfigMap cannot
       be updated (only object metadata can be modified). If not set to true, the
       field can be modified at any time. Defaulted to nil. This is an alpha field
       enabled by ImmutableEphemeralVolumes feature gate.
   
   kind <string>
       Kind is a string value representing the REST resource this object
       represents. Servers may infer this from the endpoint the client submits
       requests to. Cannot be updated. In CamelCase. More info:
       https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
   
   metadata <Object>
       Standard object's metadata. More info:
       https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
   [root@master-0 config]# cat config.yaml
   apiVersion: v1
   kind: ConfigMap
   metadata:
     name: test-config
     namespace: default
   data:
     cache_host: memcached-gcxt
     cache_port: "112211"
     cache_prefix: gcxt
     my.cnf: |
         [mysqld]
         log-bin = mysql-bin
   [root@master-0 config]# kubectl apply -f config.yaml
   configmap/test-config created
   

2. cm 在命令行的创建模板

   [root@master-0 ~]# kubectl create configmap my-config --from-file=key1=/path/to/bar/file1.txt --from-file=key2=/path/to/bar/file2.txt      # 直接通过文件给 kay 值
   [root@master-0 ~]# kubectl create configmap my-config --from-file=path/to/bar     # 不给定 kay 名则直接以文件名为 kay,my-config 就是容器挂载后路径下的配置文件名
   [root@master-0 ~]# kubectl create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2                   # 命令行创建
   
   

3. cm 在命令行的创建方法

   [root@master-0 ~]# kubectl create configmap nginx-config --from-literal=nginx_port=80 --from-literal=server_name=test.com
   configmap/nginx-config created
   [root@master-0 ~]# kubectl get cm
   NAME           DATA   AGE
   nginx-config   2      14s
   [root@master-0 config]# cat config
   server{
   server_name test.com;
   listen 80;
   root /data/web/html;
   }
   [root@master-0 config]# kubectl create configmap www.conf --from-file=./www.conf
   configmap/www.conf created        # 命名中不能有下划线
   [root@master-0 config]# kubectl get cm www.conf -oyaml
   apiVersion: v1
   data:
   config: |
       server{
       server_name test.com;
       listen 80;
       root /data/web/html;
       }
   kind: ConfigMap
   metadata:
     creationTimestamp: "2020-09-11T18:01:53Z"
     managedFields:
     - apiVersion: v1
       fieldsType: FieldsV1
       fieldsV1:
         f:data:
           .: {}
           f:config: {}
       manager: kubectl
       operation: Update
       time: "2020-09-11T18:01:53Z"
     name: www.conf
     namespace: default
     resourceVersion: "2516849"
     selfLink: /api/v1/namespaces/default/configmaps/www.conf
     uid: c6ac4a0c-c63b-4ffd-846b-081c6b96aa50
   

4. 通过 env 环境变量的方式注入配置文件

   [root@master-0 config]# cat pod-cm.yaml
   apiVersion: v1
   kind: Pod
   metadata:
     name: pod-cm-1
     namespace: default
     labels:
       app: myapp
       tier: frontend
   spec:
     containers:
     - name: myapp
       image: nginx
       ports:
       - name: http
         containerPort: 80
       env:
       - name: NGINX_SERVER_PORT           # 必须下划线,注入到 pod 的环境变量中
         valueFrom:
           configMapKeyRef:
             name: nginx-config
             key: nginx_port
       - name: NGINX_SERVER_NAME
         valueFrom:
           configMapKeyRef:
             name: nginx-config
             key: server_name
   [root@master-0 config]# kubectl apply -f pod-cm.yaml
   pod/pod-cm-1 created
   [root@master-0 config]# kubectl exec -it pod-cm-1 -- printenv|grep NGINX
   NGINX_SERVER_NAME=test.com
   NGINX_SERVER_PORT=80
   NGINX_VERSION=1.19.2
   

5. 使用 volume 方式挂载

   [root@master-0 config]# cat pod-cm-volume.yaml
   apiVersion: v1
   kind: Pod
   metadata:
     name: pod-cm-2
     namespace: default
     labels:
       app: myapp
       tier: frontend
   spec:
     containers:
     - name: myapp
       image: nginx
       ports:
       - name: http
         containerPort: 80
       volumeMounts:
       - name: nginx-conf
         mountPath: /etc/nginx/config.d
         readOnly: true
     volumes:
     - name: nginx-conf
       configMap:
         name: www.conf
   [root@master-0 config]# kubectl apply -f  pod-cm-volume.yaml
   pod/pod-cm-2 created
   [root@master-0 config]# kubectl get pod
   NAME                           READY   STATUS    RESTARTS   AGE
   myapp-deploy-5d645d645-2dsjq   1/1     Running   4          12d
   myapp-deploy-5d645d645-65ftw   1/1     Running   2          12d
   myapp-deploy-5d645d645-hfxqf   1/1     Running   4          12d
   pod-cm-2                       1/1     Running   0          9m35s
   pod-vol-hostpath               1/1     Running   0          10h
   [root@master-0 config]# kubectl exec -it pod-cm-2 -- /bin/bash
   root@pod-cm-2:/# cd /etc/nginx/conf.d/
   root@pod-cm-2:/etc/nginx/conf.d# ls
   nginx_port  server_name
   

6. 使用文件模式的 cm 创建 vhosts

   [root@master-0 config]# cat pod-cm-vhosts.yaml
   apiVersion: v1
   kind: Pod
   metadata:
     name: pod-cm-3
     namespace: default
     labels:
       app: myapp
       tier: frontend
   spec:
     containers:
     - name: myapp
       image: nginx
       imagePullPolicy: Never
       ports:
       - name: http
         containerPort: 80
       volumeMounts:
       - name: nginx-conf
         mountPath: /etc/nginx/conf.d
         readOnly: true
     volumes:
     - name: nginx-conf
       configMap:
         name: www.conf
   [root@master-0 config]# kubectl apply -f pod-cm-vhosts.yaml
   pod/pod-cm-3 created
   [root@master-0 config]# kubectl exec -it pod-cm-3 -- /bin/bash
   root@pod-cm-3:/# cd /etc/nginx/conf.d/
   root@pod-cm-3:/etc/nginx/conf.d# ls
   www.conf
   

单独挂载 configmap 某项 key

1. configmap 也可以不全部挂载而单独指明需要什么 key

[root@master-0 config]# kubectl explain pod.spec.volumes.configMap
KIND:     Pod
VERSION:  v1

RESOURCE: configMap <Object>

DESCRIPTION:
     ConfigMap represents a configMap that should populate this volume

     Adapts a ConfigMap into a volume. The contents of the target ConfigMap's
     Data field will be presented in a volume as files using the keys in the
     Data field as the file names, unless the items element is populated with
     specific mappings of keys to paths. ConfigMap volumes support ownership
     management and SELinux relabeling.

FIELDS:
   defaultMode <integer>
     Optional: mode bits to use on created files by default. Must be a value
     between 0 and 0777. Defaults to 0644. Directories within the path are not
     affected by this setting. This might be in conflict with other options that
     affect the file mode, like fsGroup, and the result can be other mode bits
     set.

   items <[]Object>     # 单独列出要挂载那些 key
     If unspecified, each key-value pair in the Data field of the referenced
     ConfigMap will be projected into the volume as a file whose name is the key
     and content is the value. If specified, the listed keys will be projected
     into the specified paths, and unlisted keys will not be present. If a key
     is specified which is not present in the ConfigMap, the volume setup will
     error unless it is marked optional. Paths must be relative and may not
     contain the '..' path or start with '..'.

   name <string>
     Name of the referent. More info:
     https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

   optional <boolean>       # pod 启动时是否必须需要这个 configmap 默认为 false 即需要提前生成 cm,true 则不需要
     Specify whether the ConfigMap or its keys must be defined
[root@master-0 config]# kubectl explain pod.spec.volumes.configMap.items
KIND:     Pod
VERSION:  v1

RESOURCE: items <[]Object>

DESCRIPTION:
     If unspecified, each key-value pair in the Data field of the referenced
     ConfigMap will be projected into the volume as a file whose name is the key
     and content is the value. If specified, the listed keys will be projected
     into the specified paths, and unlisted keys will not be present. If a key
     is specified which is not present in the ConfigMap, the volume setup will
     error unless it is marked optional. Paths must be relative and may not
     contain the '..' path or start with '..'.

     Maps a string key to a path within a volume.

FIELDS:
   key <string> -required-
     The key to project.

   mode <integer>       # 挂在文件后还可以指定权限
     Optional: mode bits to use on this file, must be a value between 0 and
     0777. If not specified, the volume defaultMode will be used. This might be
     in conflict with other options that affect the file mode, like fsGroup, and
     the result can be other mode bits set.

   path <string> -required-         # 需要指定路径,路径不能以..开头
     The relative path of the file to map the key to. May not be an absolute
     path. May not contain the path element '..'. May not start with the string
     '..'.

创建 secret

[root@master-0 ~]# kubectl explain secret
KIND:     Secret
VERSION:  v1

DESCRIPTION:
     Secret holds secret data of a certain type. The total bytes of the values
     in the Data field must be less than MaxSecretSize bytes.

FIELDS:
   apiVersion <string>
     APIVersion defines the versioned schema of this representation of an
     object. Servers should convert recognized schemas to the latest internal
     value, and may reject unrecognized values. More info:
     https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

   data <map[string]string>     # 加密,需要填入 base64 编译后的值
     Data contains the secret data. Each key must consist of alphanumeric
     characters, '-', '_' or '.'. The serialized form of the secret data is a
     base64 encoded string, representing the arbitrary (possibly non-string)
     data value here. Described in https://tools.ietf.org/html/rfc4648#section-4

   immutable <boolean>
     Immutable, if set to true, ensures that data stored in the Secret cannot be
     updated (only object metadata can be modified). If not set to true, the
     field can be modified at any time. Defaulted to nil. This is an alpha field
     enabled by ImmutableEphemeralVolumes feature gate.

   kind <string>
     Kind is a string value representing the REST resource this object
     represents. Servers may infer this from the endpoint the client submits
     requests to. Cannot be updated. In CamelCase. More info:
     https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

   metadata <Object>
     Standard object's metadata. More info:
     https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata

   stringData <map[string]string>   # 明文值
     stringData allows specifying non-binary secret data in string form. It is
     provided as a write-only convenience method. All keys and values are merged
     into the data field on write, overwriting any existing values. It is never
     output when reading from the API.

   type <string>        # 类别标识,非必要
     Used to facilitate programmatic handling of secret data.

1. 资源清单类创建方式

   [root@master-0 config]# cat secret.yaml
   apiVersion: v1
   kind: Secret
   metadata:
     name: test-secret
     namespace: default
   stringData:
     cache_host: memcached-gcxt
     cache_port: "112211"
     cache_prefix: gcxt
   [root@master-0 config]# kubectl apply -f secret.yaml
   secret/test-secret created
   

2. 命令行创建方式

   [root@master-0 config]# kubectl create secret generic -h
   Usage:
   kubectl create secret generic NAME [--type=string] [--from-file=[key=]source] [--from-literal=key1=value1]
   [--dry-run=server|client|none] [options]
   [root@master-0 config]# kubectl create secret generic mysql-root-password --from-literal=passwrd=myp@SS123
   secret/mysql-root-password created
   

3. 同样可以使用 env 注入环境变量或者 volume 的方式挂载使用