k8s——configmap-secret-nginx实验
4台linux虚拟机,并已经搭建好k8s环境。
目录
1.使用configmap投射到nginx.conf配置文件到pod里
1.2将nginx.conf内容存放到configmap里(通过文件的方式,,这样简单一点)
1.3 启动ngnix的pod,使用configmap里的nginx.conf配置文件
1. 修改nginx.conf配置文件,添加https的支持配置
2. 重新生成支持https配置的configmap,存放nginx.conf
3. 查看https-nginx-1里的具体内容是否有nginx.conf的内容
5. 启动pod使用configmap和secret里的内容
简介
configmap
configmap是k8s的一个配置管理组件,可以将配置以key-value的形式传递,通常用来保存不需要加密的配置信息,加密信息则需用到Secret,主要用来应对以下场景:
一个保存key_value数据的地方,主要用来给应用程序传递参数
使用k8s部署应用,当你将应用配置写进代码中,就会存在一个问题,更新配置时也需要打包镜像,configmap可以将配置信息和docker镜像解耦。
使用微服务架构的话,存在多个服务共用配置的情况,如果每个服务中单独一份配置的话,那么更新配置就很麻烦,使用configmap可以友好的进行配置共享。
其次,configmap可以用来保存单个属性,也可以用来保存配置文件。
存储的地方
Kubernetes 中的 ConfigMap 用于存储非密文数据,如配置文件、命令行参数等等。ConfigMap 可以以多种方式创建和管理,例如使用命令行工具 `kubectl`、YAML 文件、Helm 等等。
ConfigMap 存储在 etcd 中,是 Kubernetes 集群的一个分布式键值存储系统。etcd 可以保证 ConfigMap 数据的一致性和持久性,即便某个节点宕机或网络异常,数据也不会丢失。
需要注意的是,ConfigMap 并不是用于存储敏感数据的最佳选择。如果需要存储密文数据,应该使用 Kubernetes 中的 Secret 对象。Secret 数据也存储在 etcd 中,但同时也会经过加密,确保敏感数据的安全性。
secret
Secret 是存储诸如密码或密钥之类的敏感数据的对象
Kubernetes Secret 默认情况下存储为 base64-编码的、非加密的字符串。
base64这种加密算法,不是特别安全,可以根据密文反推明文
用户名和密码使用base64加密存放到secret里,pod在加载的时候,如何去验证明文的用户名和密码呢?
当pod加载secret里的内容的时候,会自动将密文的字符串转换为明文的,存放到pod容器里
尺寸限制
一、实验环境
4台linux虚拟机,并已经搭建好k8s环境
二、实验描述
实验1:启动nginx里的pod,使用configmap投射nginx.conf配置文件到pod里。
实验2:使用secret投射https的证书到pod里,让pod支持https的访问
三、实验1:步骤
1.使用configmap投射到nginx.conf配置文件到pod里
1.1需要准备nginx.conf配置文件
[root@master secrect]# vim nginx.conf
worker_processes 4;
events {
worker_connections 2048;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65s;
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
1.2将nginx.conf内容存放到configmap里(通过文件的方式,,这样简单一点)
[root@master secrect]# kubectl create configmap sc-nginx-1 --from-file=nginx.conf
然后查看configmap是否启动成功
[root@master secrect]# kubectl get configmap
NAME DATA AGE
example-redis-config 1 14h
game-config 2 13h
kube-root-ca.crt 1 5d14h
sc-nginx-1 1 18s
同时查看sc-nginx-1里的具体内容是否有nginx.conf的内容
[root@master secrect]# kubectl describe configmap sc-nginx-1
Name: sc-nginx-1
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
nginx.conf:
----
worker_processes 4;
events {
worker_connections 2048;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65s;
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
BinaryData
====
Events: <none>
1.3 启动ngnix的pod,使用configmap里的nginx.conf配置文件
创建一个启动pod的配置文件
[root@master secrect]# vim nginx.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: sanchuang-nginx
spec:
replicas: 3
selector:
matchLabels:
app: sanchuang-nginx
template:
metadata:
labels:
app: sanchuang-nginx
spec:
containers:
- name: nginx
image: "nginx:latest"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
volumeMounts:
- name: sanchuang-nginx-config
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
volumes:
- name: sanchuang-nginx-config
configMap:
name: sc-nginx-1 #这里的名字要与上面创建的configmap名字一致
items:
- key: nginx.conf
path: nginx.conf
启动这个配置文件
[root@master secrect]# kubectl apply -f nginx.yaml
查看pod是否启动起来了
[root@master secrect]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
sanchuang-nginx-77cdd449c-5l5wv 1/1 Running 0 18m 10.244.3.42 node3 <none> <none>
sanchuang-nginx-77cdd449c-v58dp 1/1 Running 0 18m 10.244.1.41 node1 <none> <none>
sanchuang-nginx-77cdd449c-xs2rx 1/1 Running 0 18m 10.244.2.24 node2 <none> <none>
2.验证
查找启动的容器的node, 然后在node节点上nginx的信息,最上面的的docker是刚刚最新启动的,将container id记录下来,然后用docker top + container id来查看是否跟nginx.conf里的设定的的一样
[root@node1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3851fc4a2715 080ed0ed8312 "/docker-entrypoint.…" 19 minutes ago Up 19 minutes k8s_nginx_sanchuang-nginx-77cdd449c-v58dp_default_568e22d3-916e-408c-96f7-49884f3b9597_0
48782208ab6b registry.aliyuncs.com/google_containers/pause:3.6 "/pause" 19 minutes ago Up 19 minutes k8s_POD_sanchuang-nginx-77cdd449c-v58dp_default_568e22d3-916e-408c-96f7-49884f3b9597_0
0aae485e6d94 a4ca41631cc7 "/coredns -conf /etc…" 52 minutes ago Up 52 minutes k8s_coredns_coredns-6d8c4cb4d-z65vk_kube-system_a657dc0e-f82e-4641-9db8-f29755ff6393_0
49d320996d28 817bbe3f2e51 "/metrics-server --c…" 52 minutes ago Up 52 minutes k8s_metrics-server_metrics-server-784768bd4b-6lfzz_kube-system_1fe97741-f8e3-4dab-a768-b7de08105488_0
40ea4fffe8fa registry.aliyuncs.com/google_containers/pause:3.6 "/pause" 52 minutes ago Up 52 minutes k8s_POD_coredns-6d8c4cb4d-z65vk_kube-system_a657dc0e-f82e-4641-9db8-f29755ff6393_0
3ef0bcb0d964 registry.aliyuncs.com/google_containers/pause:3.6 "/pause" 52 minutes ago Up 52 minutes k8s_POD_metrics-server-784768bd4b-6lfzz_kube-system_1fe97741-f8e3-4dab-a768-b7de08105488_0
4aa2c741b9e8 kubernetesui/dashboard "/dashboard --insecu…" 58 minutes ago Up 58 minutes k8s_kubernetes-dashboard_kubernetes-dashboard-546cbc58cd-jrrjr_kubernetes-dashboard_fe6404c1-ee7e-4fc7-9577-907d3ae8eeae_2
85b0cd9c8304 registry.aliyuncs.com/google_containers/pause:3.6 "/pause" 58 minutes ago Up 58 minutes k8s_POD_kubernetes-dashboard-546cbc58cd-jrrjr_kubernetes-dashboard_fe6404c1-ee7e-4fc7-9577-907d3ae8eeae_15
13877b33b24b 8b675dda11bb "/opt/bin/flanneld -…" 58 minutes ago Up 58 minutes k8s_kube-flannel_kube-flannel-ds-bcjbs_kube-flannel_b630dead-ad4c-4e9c-8b5d-c0b1925a4787_6
1ac9c4e275e1 f21c8d21558c "/usr/local/bin/kube…" 58 minutes ago Up 58 minutes k8s_kube-proxy_kube-proxy-4vwfg_kube-system_9c2cdb9f-210d-464e-816a-12ee16dbe281_6
3dfbf7f2a608 registry.aliyuncs.com/google_containers/pause:3.6 "/pause" 58 minutes ago Up 58 minutes k8s_POD_kube-flannel-ds-bcjbs_kube-flannel_b630dead-ad4c-4e9c-8b5d-c0b1925a4787_6
74686b9e8c36 registry.aliyuncs.com/google_containers/pause:3.6 "/pause" 58 minutes ago Up 58 minutes k8s_POD_kube-proxy-4vwfg_kube-system_9c2cdb9f-210d-464e-816a-12ee16dbe281_6
89276130acfc wordpress:latest "docker-entrypoint.s…" 7 days ago Up 58 minutes 0.0.0.0:80->80/tcp, :::80->80/tcp my_workdpress-wordpress-1
14114c317d64 mariadb:10.6.4-focal "docker-entrypoint.s…" 7 days ago Up 58 minutes 3306/tcp, 33060/tcp my_workdpress-db-1
[root@node1 ~]# docker top 3851fc4a2715
UID PID PPID C STIME TTY TIME CMD
root 17643 17622 0 10:22 ? 00:00:00 nginx: master process nginx -g daemon off;
101 17681 17643 0 10:22 ? 00:00:00 nginx: worker process
101 17682 17643 0 10:22 ? 00:00:00 nginx: worker process
101 17683 17643 0 10:22 ? 00:00:00 nginx: worker process
101 17684 17643 0 10:22 ? 00:00:00 nginx: worker process
可以看到一个docker容器里有4个work,说明实验成功。
还有一种方法,进入pod查看nginx.conf配置文件里的内容
[root@master secrect]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NOD
sanchuang-nginx-77cdd449c-5l5wv 1/1 Running 0 18m 10.244.3.42 nod
sanchuang-nginx-77cdd449c-v58dp 1/1 Running 0 18m 10.244.1.41 nod
sanchuang-nginx-77cdd449c-xs2rx 1/1 Running 0 18m 10.244.2.24 nod
[root@master secrect]# kubectl exec -it sanchuang-nginx-77cdd449c-5l5wv -- bash
root@sanchuang-nginx-77cdd449c-5l5wv:/# cat /etc/nginx/nginx.conf
worker_processes 4;
events {
worker_connections 2048;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65s;
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
四、实验2:步骤
描述:使用secret投射https的证书到pod里,让pod支持https的访问
1. 修改nginx.conf配置文件,添加https的支持配置
[root@master secrect]# vim nginx.conf
worker_processes 4;
events {
worker_connections 2048;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65s;
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 443 sslp;
server_name localhost;
ssl_certificate /etc/nginx/conf.d/tls.crt; #证书的位置,使用绝对路径
ssl-certificate_key /etc/nginx/conf.d/tls.key;
ssl_session_cache share:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
}
2. 重新生成支持https配置的configmap,存放nginx.conf
https-nginx-1是configmap的名字
[root@master secrect]# kubectl create configmap https-nginx-1 --from-file=nginx.conf
configmap/https-nginx-1 created
[root@master secrect]# kubectl get cm
NAME DATA AGE
example-redis-config 1 19h
game-config 2 19h
https-nginx-1 1 16s
kube-root-ca.crt 1 5d19h
sc-nginx-1 1 5h26m
3. 查看https-nginx-1里的具体内容是否有nginx.conf的内容
[root@master secrect]# kubectl describe configmap https-nginx-1
Name: https-nginx-1
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
nginx.conf:
----
worker_processes 4;
events {
worker_connections 2048;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65s;
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 443 sslp;
server_name localhost;
ssl_certificate /etc/nginx/conf.d/tls.crt;
ssl-certificate_key /etc/nginx/conf.d/tls.key;
ssl_session_cache share:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
}
BinaryData
====
Events: <none>
4. 将证书的内容生成secret
确保证书文件在同目录下,8905404_sanchuangedu.cn.pem就和8905404_sanchuangedu.cn.key是证书文件
证书是需要去购买或者免费试用的,可以到阿里云或者腾讯云、华为云等平台去购买或者免费申请试用
[root@master secrect]# ls
8905404_sanchuangedu.cn.key backup nginx.yaml secret.yaml
8905404_sanchuangedu.cn.pem nginx.conf secret-pod.yaml
[root@master secrect]# kubectl create secret tls https-secret --key 8905404_sanchuangedu.cn.key --cert 8905404_sanchuangedu.cn.pem
secret/https-secret created
[root@master secrect]# kubectl get secret
NAME TYPE DATA AGE
default-token-w2nj9 kubernetes.io/service-account-token 3 5d19h
https-secret kubernetes.io/tls 2 12s
test-secret Opaque 2 19h
查看https-secret里的内容
[root@master secrect]# kubectl describe secret https-secret
Name: https-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tls
Data
====
tls.key: 1679 bytes
tls.crt: 3834 bytes
5. 启动pod使用configmap和secret里的内容
[root@master secrect]# kubectl apply -f nginx.yaml
deployment.apps/sanchuang-nginx-3 created
创建一个service把它发布出去
[root@master secrect]# vim service.yaml
apiVersion: v1
kind: Service
metadata:
name: my-https-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
nodePort: 30080
protocol: TCP
- name: https
port: 443
targetPort: 443
nodePort: 30443
protocol: TCP
selector:
app: sanchuang-nginx-3
验证: 用浏览器访问宿主机的30443端口
更多推荐
所有评论(0)