1、配置管理中心configmap
1、了解这个configmap是什么
-
一种k8s中的资源对象,用于保存非机密性的配置的,数据可以用key和value或者文件的形式保存起来
-
一个服务器上面有nginx服务,还想要部署一个nginx服务的话,使用configmap集中管理配置文件,这样的话,出现了问题的话,就不需要去节点上面修改配置文件,可以进行集中管理相同服务的配置文件,非常的方便
-
configmap可以做成volume,pod启动后,通过volume的形式映射到容器特定的目录
-
configmap主要就是保存配置文件,不能超过1MiB
2、configmap创建
1、通过命令行进行创建
[root@master configmap]# kubectl create configmap --from-literal=tomcat_port=8080 --from-literal=server_name=tomcat tomcat-config
[root@master configmap]# kubectl describe cm tomcat-config
Name: tomcat-config
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
server_name: #key
----
tomcat #value值
tomcat_port:
----
8080
BinaryData
====
Events: <none>
2、通过文件创建
[root@master configmap]# cat nginx.conf
server {
server_name www.nginx.com
listen 80
root /home/nginx/www/
}
[root@master configmap]# pwd
/root/configmap
[root@master configmap]# kubectl create configmap --from-file=./nginx.conf www-nginx-1
configmap/www-nginx-1 created
[root@master configmap]# kubectl get cm
NAME DATA AGE
kube-root-ca.crt 1 155m
tomcat-config 2 4m14s
www-nginx-1 1 8s
[root@master configmap]# kubectl describe cm www-nginx-1
Name: www-nginx-1
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
nginx.conf:
----
server {
server_name www.nginx.com
listen 80
root /home/nginx/www/
}
BinaryData
====
Events: <none>
3、通过目录创建configmap
[root@master configmap]# ls
nginx.conf nginx-test.conf
[root@master configmap]# pwd
/root/configmap
#如果目录下面有个2个配置文件的话,指定目录的话,就会将这2个配置文件都做成configmap
[root@master configmap]# kubectl create configmap --from-file=/root/configmap nginx-conf
configmap/nginx-conf created
[root@master configmap]# kubectl get cm
NAME DATA AGE
kube-root-ca.crt 1 159m
nginx-conf 2 3s
tomcat-config 2 8m42s
www-nginx-1 1 4m36s
[root@master configmap]# kubectl describe cm nginx-conf
Name: nginx-conf
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
nginx-test.conf:
----
server {
server_name www.nginx1.com
listen 80
root /home/nginx/www/
}
nginx.conf:
----
server {
server_name www.nginx.com
listen 80
root /home/nginx/www/
}
BinaryData
====
Events: <none>
4、yaml文件定义
1、通过环境变量引入 使用configMapKeyRef
[root@master configmap]# cat mysql-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: mysql-cm
namespace: test
data:
log: "1" #key和value值
lower: "1"
[root@master configmap]# kubectl apply -f mysql-configmap.yaml
configmap/mysql-cm created
[root@master configmap]# kubectl get cm -n test
NAME DATA AGE
kube-root-ca.crt 1 14s
mysql-cm 2 6s
#通过env来定义key和value值
[root@master configmap]# cat cm-pod1.yaml
apiVersion: v1
kind: Pod
metadata:
name: p1
namespace: test
spec:
containers:
- name: busybox
image: docker.io/library/busybox:1.28
imagePullPolicy: IfNotPresent
command: ["/bin/sh","-c","sleep 360000"]
env:
- name: log_bin #定义key值
valueFrom: #value的值来源于configmap中定义的
configMapKeyRef:
name: mysql-cm
key: log #对应的value的值为1
- name: lower
valueFrom:
configMapKeyRef:
name: mysql-cm
key: lower
[root@master configmap]# kubectl get pod -n test
NAME READY STATUS RESTARTS AGE
p1 1/1 Running 0 83s
[root@master configmap]# kubectl exec -ti -n test p1 -- /bin/sh
/ # printenv
log_bin=1 #key和value的值
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
HOSTNAME=p1
SHLVL=1
HOME=/root
TERM=xterm
lower=1 #key和value的值
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_SERVICE_HOST=10.96.0.1
2、通过envfrom创建
[root@master configmap]# cat envfrom.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-envfrom
namespace: test
spec:
containers:
- name: busybox
image: docker.io/library/busybox:1.28
imagePullPolicy: IfNotPresent
command: ["/bin/sh","-c","sleep 36000"]
envFrom: #key和value来源
- configMapRef:
name: mysql-cm
[root@master configmap]# kubectl exec -ti -n test pod-envfrom -- /bin/sh
/ # printenv
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
HOSTNAME=pod-envfrom
SHLVL=1
HOME=/root
TERM=xterm
lower=1
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
log=1
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_SERVICE_HOST=10.96.0.1
PWD=/
3、configmap做成卷挂载到pod中
#定义一个configmap文件
[root@master configmap]# cat mysql-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: mysql-cm
namespace: test
data:
log: "1"
lower: "1"
my.cnf: |
[mysqld]
welocme=node1
#configmap做成一个卷
[root@master configmap]# cat cm-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: p1-volume
namespace: test
spec:
containers:
- name: busybox
image: docker.io/library/busybox:1.28
imagePullPolicy: IfNotPresent
command: ["/bin/sh","-c","sleep 36000"]
volumeMounts:
- mountPath: /tmp/config
name: cm
volumes:
- name: cm
configMap: #将这个configmap挂载到卷里面
name: mysql-cm
[root@master configmap]# kubectl exec -ti -n test p1-volume -- /bin/sh
/ # cd /tmp/config/
/tmp/config # ls
log lower my.cnf
4、configmap热更新
-
就是configmap这个文件更新的话,pod里面的文件会进行改变,但是需要一定的时间(10s)
-
但是使用环境变量引入的configmap的话,不会改变
[root@master configmap]# kubectl edit cm -n test mysql-cm
configmap/mysql-cm edited
[root@master configmap]# kubectl exec -ti -n test p1-volume -- /bin/sh
/ # cd /tmp/config/
/tmp/config # ls
log lower my.cnf
/tmp/config # cat log
22/tmp/config #
2、配置管理中心 secret
1、secret是什么
-
configmap一般是用于存放明文数据的,配置文件等,对于一些密码或者私钥的话需要用到secert类型
-
secret也可以使用volume或者环境变量的方式使用
-
可选的参数有三种
-
generice:通过类型,通常用于存储密码数据
-
tls: 此类型仅用于存储私钥和证书
-
docker-registry: 若要保存 docker 仓库的认证信息的话,就必须使用此种类型来创建
-
- secret类型
-
ServiceAccount,serviceaccount创建时,k8s会默认创建对应的secret,pod如果使用了service account,对应的secret会自动的挂载到pod的/run/secrets/kubenetes.io/serviceaccount目录中
-
2、环境变量引入secret
#generic用于密码的加密
[root@master /]# kubectl create secret generic --from-literal=mysql-password=qqqq**aa mysql-passwd
secret/mysql-passwd created
[root@master /]# kubectl get secrets
NAME TYPE DATA AGE
mysql-passwd Opaque 1 6s
#引入到容器里面
[root@master secret]# cat m1.yaml
apiVersion: v1
kind: Pod
metadata:
name: e1
spec:
containers:
- name: busybox
image: docker.io/library/busybox:1.28
imagePullPolicy: IfNotPresent
command: ["/bin/sh","-c","sleep 36000"]
env:
- name: MYSQL_ROOT_PASSWD
valueFrom:
secretKeyRef: #将secret的key对应的value的值赋值过去
name: mysql-passwd
key: mysql-password
[root@master secret]# kubectl get pod
NAME READY STATUS RESTARTS AGE
e1 1/1 Running 0 66s
[root@master secret]# kubectl exec -ti e1 -- /bin/sh
/ # printenv
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
HOSTNAME=e1
MYSQL_ROOT_PASSWD=qqqq**aa #将密码显示了出来,不安全
SHLVL=1
HOME=/root
TERM=xterm
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_SERVICE_HOST=10.96.0.1
PWD=/
3、将secret做成一个volume来实现挂载到pod里面
#手动加密,基于base64
[root@master ~]# echo -n "admin" | base64
YWRtaW4=
#手动解密
[root@master secret]# echo YWRtaW4= | base64 -d
admin[root@master secret]#
[root@master secret]# cat secret1.yaml
apiVersion: v1
kind: Secret
metadata:
name: s1
namespace: test
type: Opaque #类型为这个的
data:
username: YWRtaW4=
password: YWRtaW4=
#创建一个pod,挂载进来
[root@master secret]# cat pod-secret1.yaml
apiVersion: v1
kind: Pod
metadata:
name: ss1
namespace: test
spec:
containers:
- name: busybox
image: docker.io/library/busybox:1.28
imagePullPolicy: IfNotPresent
command: ["/bin/sh","-c","sleep 360000"]
volumeMounts:
- mountPath: /tmp/config
name: ss1
readOnly: true
volumes:
- name: ss1
secret: #密钥的方式挂载到卷里面
secretName: s1
#进入到容器里面,里面都是解密后的数据
[root@master secret]# kubectl exec -ti ss1 -n test -- /bin/sh
/ # cd /tmp/config/
/tmp/config # ls
password username
/tmp/config # cat password
admin/tmp/config #