1.1: Secret资源
secret加密数据并存放Etcd中,让Pod的容器以挂载Volume方式访问。
应用场景:
1、https证书
2、secret存放docker registry认证信息
3、存放文件内容或者字符串,例如用户名密码
Pod使用secret两种方式:
-
变量注入
-
挂载
例如:创建一个secret用于保存应用程序用到的用户名和密码
官方文档: https://kubernetes.io/docs/concepts/configuration/secret/
示例1: 创建一个secret用于保存应用程序用到的用户名和密码
//不加密,创建secret资源
[root@master demo]# echo -n 'admin'>./username.txt ""
[root@master demo]# echo -n '1f2d1e2e676f'>./password.txt
[root@master demo]# kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt
secret/db-user-pass created
[root@master demo]# kubectl get secret
NAME TYPE DATA AGE
db-user-pass Opaque 2 62s
default-token-mpxqj kubernetes.io/service-account-token 3 16d
registry-pull-secret kubernetes.io/dockerconfigjson 1 2d23h
[root@master demo]# kubectl describe secret db-user-pass
Name: db-user-pass
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password.txt: 12 bytes
username.txt: 5 bytes
示例2: 变量注入方式在Pod中使用secret:
//创建加密secret资源
[root@master demo]# echo -n 'admin' | base64
YWRtaW4=
[root@master demo]# echo -n '1f2d1e2e67df' | base64
MWYyZDFlMmU2N2Rm
[root@master demo]# vim secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: my-secret
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
[root@master demo]# kubectl apply -f secret.yaml
secret/secret created
[root@master demo]# kubectl delete secret secret
secret "secret" deleted
[root@master demo]# kubectl get secret
NAME TYPE DATA AGE
db-user-pass Opaque 2 51m
default-token-mpxqj kubernetes.io/service-account-token 3 16d
my-secret Opaque 2 66s
registry-pull-secret kubernetes.io/dockerconfigjson 1 3d
[root@master demo]# kubectl get secret my-secret -o yaml
apiVersion: v1
data:
password: MWYyZDFlMmU2N2Rm
username: YWRtaW4=
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"password":"MWYyZDFlMmU2N2Rm","username":"YWRtaW4="},"kind":"Secret","metadata":{"annotations":{},"name":"my-secret","namespace":"default"},"type":"Opaque"}
creationTimestamp: 2020-10-15T10:26:47Z
name: my-secret
namespace: default
resourceVersion: "186838"
selfLink: /api/v1/namespaces/default/secrets/my-secret
uid: edf7eaf0-0ed0-11eb-b567-000c29a0cac9
type: Opaque
-
pod 中使用 secret资源
方法一: 变量方式,引用上文的secret资源
//方法一: 变量方式,引用上文的secret资源
[root@master demo]# vim secret-var.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: nginx
image: nginx
env: "调用变量"
- name: SECRET_USERNAME "调用的变量赋给它"
valueFrom: "键值来源"
secretKeyRef: "固定键值字段"
name: my-secret "调用资源名称"
key: username "调用username变量"
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: my-secret
key: password
[root@master demo]# kubectl apply -f secret-var.yaml
pod/mypod created
[root@master demo]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 3m26s
[root@master demo]# kubectl exec -it mypod bash
root@mypod:/# echo $SECRET_USERNAME
admin
root@mypod:/# echo $SECRET_PASSWORD
1f2d1e2e67df
root@mypod:/#
#key: username赋值给SECRET_USERNAME
#key: password 赋值给SECRET_PASSWORD
方法二: 数据挂载方式在Pod中使用secret
[root@master demo]# vim secret-vol.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: nginx
image: nginx
volumeMounts: "挂载点"
- name: li "挂载的卷名称,与下面的挂载设备名一致"
mountPath: "/etc/li" "挂载点目录"
readOnly: true "只读"
volumes: "挂载设备"
- name: li "挂载设备卷自定义名,与上面挂载点的名字要一致"
secret: "挂载数据类型"
secretName: my-secret "挂载数据卷资源名,你创建的secret资源名"
[root@master demo]# kubectl create -f secret-vol.yaml
pod/mypod created
//进容器,进挂载点查看挂载的文件
[root@master demo]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 4m14s
[root@master demo]# kubectl exec -it mypod bash
root@mypod:/# ls /etc/li
password username
root@mypod:/# cat /etc/li/password
1f2d1e2e67dfroot@mypod:/# cat /etc/li/username
adminroot@mypod:/#
1.2: ConfigMap
-
与Secret类似,区别在于ConfigMap保存的是不需要加密配置的信息
应用场景:应用配置, 不涉及加密
-
第一种方法: 挂载数据卷的方式
创建一个configmap用于保存应用程序用到的字段值
[root@master demo]# vim redis.properties
redis.host=127.0.0.1
redis.port=6379
redis.password=123456
~
- 创建configmap资源
[root@master demo]# kubectl create configmap redis.config --from-file=redis.properties
configmap/redis.config created
//查看资源
[root@master demo]# kubectl get configmap
NAME DATA AGE
redis.config 1 9s
//用缩写查看
[root@master demo]# kubectl get cm
NAME DATA AGE
redis.config 1 67s "configmap的资源名,用于后面引入"
[root@master demo]# kubectl describe cm redis.config
Name: redis.config
Namespace: default
Labels: <none>
Annotations: <none>
Data "资源数据"
====
redis.properties: "资源的文件"
----
redis.host=127.0.0.1
redis.port=6379
redis.password=123456
Events: <none>
数据挂载方式pod引入configmap资源
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: busybox
image: busybox
command: [ "/bin/sh","-c","cat /etc/config/redis.properties" ]
volumeMounts: "挂载点"
- name: config-volume
mountPath: /etc/config
volumes: "挂载设备"
- name: config-volume
configMap:
name: redis.config "引入的configmap资源名"
restartPolicy: Never
[root@master demo]# kubectl apply -f configmap.yaml
pod/mypod created
[root@master demo]# kubectl get pods
NAME READY STATUS RESTARTS AGE
mypod 0/1 ContainerCreating 0 3s
[root@master demo]# kubectl get pods
NAME READY STATUS RESTARTS AGE
mypod 0/1 Completed 0 57s
[root@master demo]# kubectl logs mypod
redis.host=127.0.0.1
redis.port=6379
redis.password=123456
-
第二种方法:变量参数形式
创建configmap资源
[root@master demo]# vim myconfig.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: myconfig
namespace: default
data:
special.level: info
special.type: hello
[root@master demo]# kubectl apply -f myconfig.yaml
configmap/myconfig created
[root@master demo]# kubectl get configmap
NAME DATA AGE
myconfig 2 5m32s "这里configmap资源名myconfig"
redis.config 1 23m
引用configmap 资源
[root@master demo]# vim config-var.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: busybox
image: busybox
command: [ "/bin/sh", "-c", "echo $(LEVEL) $(TYPE)" ]
env:
- name: LEVEL
valueFrom:
configMapKeyRef:
name: myconfig "引入的configmap的资源名myconfig"
key: special.level "引入资源的变量"
- name: TYPE
valueFrom:
configMapKeyRef:
name: myconfig "引入的configmap资源名myconfig"
key: special.type "引入资源的变量"
restartPolicy: Never
//清除已有的mypod资源
[root@master demo]# kubectl delete pod mypod
[root@master demo]# kubectl get pods
NAME READY STATUS RESTARTS AGE
mypod 0/1 ContainerCreating 0 11s
[root@master demo]# kubectl get pods
NAME READY STATUS RESTARTS AGE
mypod 0/1 Completed 0 58s
[root@master demo]# kubectl logs mypod "查看输入结果"
info hello
1.3: 应用程序如何动态更新配置?
ConfigMap更新时,业务也随之更新的方案:
- 当ConfigMap发生变更时,应用程序动态加载
- 触发滚动更新,即重启服务
示例:
//congigmap数据更新
[root@k8s-master ~]# vim configMap-volume-pod.yaml
...
data:
redis.properties: |
redis.host=192.168.100.200 "地址发生变化"
redis.port=6379
redis.password=123456
...
//重新加载配置pod
[root@k8s-master ~]# kubectl apply -f configMap-volume-pod.yaml
configmap/redis-config configured
pod/mypod configured
//查看应用程序引用的数据
[root@k8s-master ~]# kubectl logs mypod
redis.host=127.0.0.1
redis.port=6379
redis.password=123456
//可以发现数据没有更新,三种方法解决
1.重建pod
2.应用程序configmap本身实现监听本地配置文件,如果configmap发生变化触发配置热更新
3.业务端采用sidecar 监听configmap资源的变化,有变化则告诉业务更新