配置容器化应用的方式
- 自定义命令行参数
- 把配置文件直接焙进镜像
- 环境变量
- cloud native的应用程序一般可直接通过环境变量加载配置
- 通过entrypoint脚本来预处理变量
- 存储卷
configMap(配置中心)
pod从configMap中读取配置关联到pod
创建configMap
kubectl create configmap nginx-config --from-literal=nginx_port=80 --from-literal=server_name=myapp.wuxingge.com
查看
kubectl get configmaps
kubectl describe configmaps nginx-config
cat www.conf
server {
server_name myapp.wuxingge.com;
listen 80;
root /data/web/html/;
}
kubectl create configmap nginx-www --from-file=./www.conf
编辑
kubectl edit configmaps nginx-www
挂载存储卷中的部分键值
volumes:
- name: ngxconfig
configMap:
name: nginx-config-files
items:
- key: myserver.conf
path: myserver.conf
mode: 0644
- key: myserver-gzip.cfg
path: myserver-compression.cfg
- key:要引用的键名称,必选字段。
- path:对应的键于挂载点目录中生成的文件的相对路径,可以不同于键名称,必选字段
- mode:文件的权限模型,可用范围为0到0777
pod-configmap.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-cm-1
namespace: default
labels:
app: myapp
tier: frontend
annotations:
wuxingge.com/created-by: "cluster admin"
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
env:
- name: NGINX_SERVER_PORT
valueFrom:
configMapKeyRef:
name: nginx-config
key: nginx_port
- name: NGINX_SERVER_NAME
valueFrom:
configMapKeyRef:
name: nginx-config
key: server_name
pod-configmap-2.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-cm-2
namespace: default
labels:
app: myapp
tier: frontend
annotations:
wuxingge.com/created-by: "cluster admin"
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
volumeMounts:
- name: nginxconf
mountPath: /etc/nginx/config.d/
readOnly: true
volumes:
- name: nginxconf
configMap:
name: nginx-config
pod-configmap-3.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-cm-3
namespace: default
labels:
app: myapp
tier: frontend
annotations:
wuxingge.com/created-by: "cluster admin"
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
volumeMounts:
- name: nginxconf
mountPath: /etc/nginx/conf.d/
readOnly: true
volumes:
- name: nginxconf
configMap:
name: nginx-www
- 无论是装载所有文件还是部分文件,挂载点目录下原有的文件都会被隐藏。
- vol-umeMounts字段中使用的subPath字段,可以支持用户从存储卷挂载单个文件或单个目录而非整个存储卷
volumeMounts:
- name: ngxconfig
mountPath: /etc/nginx/conf.d/myserver.conf
subPath: myserver.conf
readOnly: true
- name: ngxconfig
mountPath: /etc/nginx/conf.d/myserver-status.cfg
subPath: myserver-status.cfg
readOnly: true
volumes:
- name: ngxconfig
configMap:
name: nginx-config-files
- 使用ConfigMap资源为容器应用提供配置的优势之一在于其支持容器应用动态更新其配置
- 用户直接更新ConfigMap对象,而后由容器应用重载其配置文件即可
nginx使用configmap挂载单个配置文件
vi nginx-cm.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-conf
namespace: default
data:
nginx.conf: |-
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
use epoll;
worker_connections 65535;
accept_mutex off;
multi_accept off;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
vi nginx-dp.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-test
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: nginx-test
template:
metadata:
labels:
app: nginx-test
spec:
containers:
- name: nginx-test
image: nginx:alpine
ports:
- containerPort: 80
volumeMounts:
- name: nginx-conf
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
readOnly: true
volumes:
- name: nginx-conf
configMap:
name: nginx-conf
items:
- key: nginx.conf
path: nginx.conf
mode: 0644
---
apiVersion: v1
kind: Service
metadata:
name: nginx-test
namespace: default
spec:
selector:
app: nginx-test
type: NodePort
ports:
- port: 80
protocol: TCP
targetPort: 80
nodePort: 80
secret
创建secret
kubectl create secret generic mysql-root-password --from-literal=password=MyP@ss123
查看
kubectl get secrets mysql-root-password -o yaml
apiVersion: v1
data:
password: TXlQQHNzMTIz
kind: Secret
metadata:
creationTimestamp: "2019-11-30T08:26:57Z"
name: mysql-root-password
namespace: default
resourceVersion: "711777"
selfLink: /api/v1/namespaces/default/secrets/mysql-root-password
uid: 2c259780-134b-11ea-a76c-000c29b4d624
type: Opaque
echo TXlQQHNzMTIz |base64 -d
MyP@ss123
pod-secret-1.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-secret-1
namespace: default
labels:
app: myapp
tier: frontend
annotations:
wuxingge.com/created-by: "cluster admin"
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-root-password
key: password
密钥证书
(umask 077; openssl genrsa -out nginx.key 2048)
openssl req -new -x509 -key nginx.key -out nginx.crt -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=www.ilinux.io
kubectl create secret tls nginx-ssl --key=./nginx.key --cert=./nginx.crt
containers:
- image: nginx:alpine
name: web-server
volumeMounts:
- name: nginxcert
mountPath: /etc/nginx/ssl/
readOnly: true
volumes:
- name: nginxcert
secret:
secretName: nginx-ssl
docker仓库 secret
创建docker仓库 secret
kubectl -n default create secret docker-registry docker-registry-key --docker-server=x.x.x.x:5000 --docker-username=xxx --docker-password=xxx
k8s 拉取私有仓库镜像
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: dev
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
namespace: dev
spec:
imagePullSecrets:
- name: docker-registry-key
containers:
- name: nginx
image: x.x.x.x:5000/nginx:20230202v1
ports:
- containerPort: 80