secret介绍:
Secret 的功能类似于 ConfigMap给pod提供额外的配置信息,但是
Secret是一种包含少量敏感信息例如密码、令牌或密钥的资源对象。
Pod 可以用三种方式的任意一种来使用 Secret:
- 作为挂载到一个或多个容器卷中的文件(crt文件、 key文件)。
- 作为容器的环境变量。
- 由 kubelet 在为 Pod 拉取镜像时使用 (与镜像仓库的认证)。
secret类型:
Secret类型 | 使用场景 |
---|---|
Opaque | 用户定义的任意数据 |
kubernetes . io/service-account-token ServiceAccount | 令牌 |
kubernetes . io/dockercfg | ~/ . dockercfg 文件的序列化形式 |
kubernetes . io/dockerconfigjson | ~/ . docker/config . json 文件的序列化形式 |
kubernetes . io/basic-auth | 用于基本身份认证的凭据 |
kubernetes . io/ssh-auth | 用于 SSH 身份认证的凭据 |
kubernetes . io/tls | 用于 TLS 环境,保存crt证书和key证书 |
bootstrap . kubernetes . io/token | 启动引导令牌数据 |
为nginx提供证书
mkdir certs
cd certs
certs# openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3560 -nodes -subj '/CN=www.ca.com'
certs# openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=www.mysite.com'
certs# openssl x509 -req -sha256 -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
certs# kubectl create secret tls myserver-tls-key --cert=./server.crt --key=./server.key -n myserver
创建web服务nginx并使用证书
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-config
namespace: application
data:
default: |
server {
listen 80;
server_name www.mysite.com;
listen 443 ssl;
ssl_certificate /etc/nginx/conf.d/certs/tls.crt;
ssl_certificate_key /etc/nginx/conf.d/certs/tls.key;
location / {
root /usr/share/nginx/html;
index index.html;
if ($scheme = http ){ #未加条件判断,会导致死循环
rewrite / https://www.mysite.com permanent;
}
if (!-e $request_filename) {
rewrite ^/(.*) /index.html last;
}
}
}
---
#apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
name: application-myapp-frontend-deployment
namespace: application
spec:
replicas: 1
selector:
matchLabels:
app: application-myapp-frontend
template:
metadata:
labels:
app: application-myapp-frontend
spec:
containers:
- name: application-myapp-frontend
image: nginx:1.20.2-alpine
ports:
- containerPort: 80
volumeMounts:
- name: nginx-config
mountPath: /etc/nginx/conf.d/application
- name: application-tls-key
mountPath: /etc/nginx/conf.d/certs
volumes:
- name: nginx-config
configMap:
name: nginx-config
items:
- key: default
path: mysite.conf
- name: application-tls-key
secret:
secretName: application-tls-key
---
apiVersion: v1
kind: Service
metadata:
name: application-myapp-frontend
namespace: application
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
nodePort: 30030
protocol: TCP
- name: htts
port: 443
targetPort: 443
nodePort: 30029
protocol: TCP
selector:
app: application-myapp-frontend
#配置hosts 解析:
vim /etc/hosts
192.168.2.132 www.mysite.com
#编辑配置文件,默认的官方镜像没有加载自定义配置
vi /etc/nginx/nginx.conf
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/conf.d/myserver/*.conf;
#重新加载配置
nginx -s reload
#访问方式
https://www.mysite.com:30029
私有仓库镜像认证
存储docker registry的认证信息,在下载私有仓库镜像的时候无需登录可直接下载,有两种方式实现:
1、通过命令创建secret
kubectl create secret docker-registry reg-zhangjw-com-pull-image --docker-server=reg.zhangjw.com --docker-username=admin --docker-password=12345678
2、 通过docker认证文件创建(推荐此种方式)
docker login reg.zhangjw.com --username=admin
kubectl create secret generic reg-zhangjw-com-pull-image --from-file=.dockerconfigjson=/root/.docker/config.json --type=kubernetes.io/dockerconfigjson -n application
示例如下所示:
apiVersion: apps/v1
kind: Deployment
metadata:
name: application-myapp-frontend-deployment
namespace: application
spec:
replicas: 1
selector:
matchLabels:
app: application-myapp-frontend
template:
metadata:
labels:
app: application-myapp-frontend
spec:
containers:
- name: application-myapp-frontend
image: reg.zhangjw.com/baseimages/nginx:1.16.1-alpine-perl
ports:
- containerPort: 80
imagePullSecrets:
- name: reg-zhangjw-com-pull-image
---
apiVersion: v1
kind: Service
metadata:
name: application-myapp-frontend
namespace: application
spec:
ports:
- name: http
port: 80
targetPort: 80
nodePort: 30022
protocol: TCP
type: NodePort
selector:
app: application-myapp-frontend