目录

简介

configmap 

secret 

一、实验环境 

二、实验描述

三、实验1:步骤

1.使用configmap投射到nginx.conf配置文件到pod里

1.1需要准备nginx.conf配置文件

1.2将nginx.conf内容存放到configmap里(通过文件的方式,,这样简单一点)

1.3 启动ngnix的pod,使用configmap里的nginx.conf配置文件

2.验证

四、实验2:步骤

1. 修改nginx.conf配置文件,添加https的支持配置

2. 重新生成支持https配置的configmap,存放nginx.conf

3. 查看https-nginx-1里的具体内容是否有nginx.conf的内容

4. 将证书的内容生成secret

5. 启动pod使用configmap和secret里的内容

验证: 用浏览器访问宿主机的30443端口


简介

configmap 

configmap是k8s的一个配置管理组件,可以将配置以key-value的形式传递,通常用来保存不需要加密的配置信息,加密信息则需用到Secret,主要用来应对以下场景:

一个保存key_value数据的地方,主要用来给应用程序传递参数 

使用k8s部署应用,当你将应用配置写进代码中,就会存在一个问题,更新配置时也需要打包镜像,configmap可以将配置信息和docker镜像解耦。
使用微服务架构的话,存在多个服务共用配置的情况,如果每个服务中单独一份配置的话,那么更新配置就很麻烦,使用configmap可以友好的进行配置共享。
其次,configmap可以用来保存单个属性,也可以用来保存配置文件。

 存储的地方

Kubernetes 中的 ConfigMap 用于存储非密文数据,如配置文件、命令行参数等等。ConfigMap 可以以多种方式创建和管理,例如使用命令行工具 `kubectl`、YAML 文件、Helm 等等。

ConfigMap 存储在 etcd 中,是 Kubernetes 集群的一个分布式键值存储系统。etcd 可以保证 ConfigMap 数据的一致性和持久性,即便某个节点宕机或网络异常,数据也不会丢失。

需要注意的是,ConfigMap 并不是用于存储敏感数据的最佳选择。如果需要存储密文数据,应该使用 Kubernetes 中的 Secret 对象。Secret 数据也存储在 etcd 中,但同时也会经过加密,确保敏感数据的安全性。

secret 

Secret 是存储诸如密码或密钥之类的敏感数据的对象

Kubernetes Secret 默认情况下存储为 base64-编码的、非加密的字符串。

base64这种加密算法,不是特别安全,可以根据密文反推明文

用户名和密码使用base64加密存放到secret里,pod在加载的时候,如何去验证明文的用户名和密码呢?
当pod加载secret里的内容的时候,会自动将密文的字符串转换为明文的,存放到pod容器里

尺寸限制

一、实验环境 

4台linux虚拟机,并已经搭建好k8s环境

二、实验描述

实验1:启动nginx里的pod,使用configmap投射nginx.conf配置文件到pod里。

实验2:使用secret投射https的证书到pod里,让pod支持https的访问

三、实验1:步骤

1.使用configmap投射到nginx.conf配置文件到pod里

1.1需要准备nginx.conf配置文件

[root@master secrect]# vim nginx.conf
worker_processes 4;
events {
    worker_connections 2048;
}
http {
    include  mime.types;
    default_type application/octet-stream;
    sendfile  on;
    keepalive_timeout 65s;
    server {
    listen 80;
    server_name localhost;
        location / {
            root  html;
            index index.html index.htm;
        }
        error_page  500 502 503 504 /50x.html;
        location = /50x.html {
            root html;
        }
    }
}

1.2将nginx.conf内容存放到configmap里(通过文件的方式,,这样简单一点)

[root@master secrect]# kubectl create configmap sc-nginx-1 --from-file=nginx.conf

 然后查看configmap是否启动成功

[root@master secrect]# kubectl get configmap
NAME                   DATA   AGE
example-redis-config   1      14h
game-config            2      13h
kube-root-ca.crt       1      5d14h
sc-nginx-1             1      18s

同时查看sc-nginx-1里的具体内容是否有nginx.conf的内容

[root@master secrect]# kubectl describe configmap sc-nginx-1
Name:         sc-nginx-1
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
nginx.conf:
----
worker_processes 4;
events {
    worker_connections 2048;
}
http {
    include  mime.types;
    default_type application/octet-stream;
    sendfile  on;
    keepalive_timeout 65s;
    server {
    listen 80;
    server_name localhost;
        location / {
            root  html;
            index index.html index.htm;
        }
        error_page  500 502 503 504 /50x.html;
        location = /50x.html {
            root html;
        }
    }
}



BinaryData
====

Events:  <none>

1.3 启动ngnix的pod,使用configmap里的nginx.conf配置文件

创建一个启动pod的配置文件

[root@master secrect]# vim nginx.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sanchuang-nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: sanchuang-nginx
  template:
    metadata:
      labels:
        app: sanchuang-nginx
    spec:
      containers:
        - name: nginx
          image: "nginx:latest"
          imagePullPolicy: IfNotPresent
          ports:
          - containerPort: 80
          volumeMounts:
          - name: sanchuang-nginx-config
            mountPath: /etc/nginx/nginx.conf
            subPath: nginx.conf
      volumes:
        - name: sanchuang-nginx-config
          configMap:
            name: sc-nginx-1    #这里的名字要与上面创建的configmap名字一致
            items:
            - key: nginx.conf
              path: nginx.conf

启动这个配置文件

[root@master secrect]# kubectl apply -f nginx.yaml

查看pod是否启动起来了

[root@master secrect]# kubectl get pod -o wide
NAME                              READY   STATUS    RESTARTS   AGE   IP            NODE    NOMINATED NODE   READINESS GATES
sanchuang-nginx-77cdd449c-5l5wv   1/1     Running   0          18m   10.244.3.42   node3   <none>           <none>
sanchuang-nginx-77cdd449c-v58dp   1/1     Running   0          18m   10.244.1.41   node1   <none>           <none>
sanchuang-nginx-77cdd449c-xs2rx   1/1     Running   0          18m   10.244.2.24   node2   <none>           <none>

2.验证

查找启动的容器的node, 然后在node节点上nginx的信息,最上面的的docker是刚刚最新启动的,将container id记录下来,然后用docker top + container id来查看是否跟nginx.conf里的设定的的一样

[root@node1 ~]# docker ps
CONTAINER ID   IMAGE                                               COMMAND                   CREATED          STATUS          PORTS                               NAMES
3851fc4a2715   080ed0ed8312                                        "/docker-entrypoint.…"   19 minutes ago   Up 19 minutes                                       k8s_nginx_sanchuang-nginx-77cdd449c-v58dp_default_568e22d3-916e-408c-96f7-49884f3b9597_0
48782208ab6b   registry.aliyuncs.com/google_containers/pause:3.6   "/pause"                  19 minutes ago   Up 19 minutes                                       k8s_POD_sanchuang-nginx-77cdd449c-v58dp_default_568e22d3-916e-408c-96f7-49884f3b9597_0
0aae485e6d94   a4ca41631cc7                                        "/coredns -conf /etc…"   52 minutes ago   Up 52 minutes                                       k8s_coredns_coredns-6d8c4cb4d-z65vk_kube-system_a657dc0e-f82e-4641-9db8-f29755ff6393_0
49d320996d28   817bbe3f2e51                                        "/metrics-server --c…"   52 minutes ago   Up 52 minutes                                       k8s_metrics-server_metrics-server-784768bd4b-6lfzz_kube-system_1fe97741-f8e3-4dab-a768-b7de08105488_0
40ea4fffe8fa   registry.aliyuncs.com/google_containers/pause:3.6   "/pause"                  52 minutes ago   Up 52 minutes                                       k8s_POD_coredns-6d8c4cb4d-z65vk_kube-system_a657dc0e-f82e-4641-9db8-f29755ff6393_0
3ef0bcb0d964   registry.aliyuncs.com/google_containers/pause:3.6   "/pause"                  52 minutes ago   Up 52 minutes                                       k8s_POD_metrics-server-784768bd4b-6lfzz_kube-system_1fe97741-f8e3-4dab-a768-b7de08105488_0
4aa2c741b9e8   kubernetesui/dashboard                              "/dashboard --insecu…"   58 minutes ago   Up 58 minutes                                       k8s_kubernetes-dashboard_kubernetes-dashboard-546cbc58cd-jrrjr_kubernetes-dashboard_fe6404c1-ee7e-4fc7-9577-907d3ae8eeae_2
85b0cd9c8304   registry.aliyuncs.com/google_containers/pause:3.6   "/pause"                  58 minutes ago   Up 58 minutes                                       k8s_POD_kubernetes-dashboard-546cbc58cd-jrrjr_kubernetes-dashboard_fe6404c1-ee7e-4fc7-9577-907d3ae8eeae_15
13877b33b24b   8b675dda11bb                                        "/opt/bin/flanneld -…"   58 minutes ago   Up 58 minutes                                       k8s_kube-flannel_kube-flannel-ds-bcjbs_kube-flannel_b630dead-ad4c-4e9c-8b5d-c0b1925a4787_6
1ac9c4e275e1   f21c8d21558c                                        "/usr/local/bin/kube…"   58 minutes ago   Up 58 minutes                                       k8s_kube-proxy_kube-proxy-4vwfg_kube-system_9c2cdb9f-210d-464e-816a-12ee16dbe281_6
3dfbf7f2a608   registry.aliyuncs.com/google_containers/pause:3.6   "/pause"                  58 minutes ago   Up 58 minutes                                       k8s_POD_kube-flannel-ds-bcjbs_kube-flannel_b630dead-ad4c-4e9c-8b5d-c0b1925a4787_6
74686b9e8c36   registry.aliyuncs.com/google_containers/pause:3.6   "/pause"                  58 minutes ago   Up 58 minutes                                       k8s_POD_kube-proxy-4vwfg_kube-system_9c2cdb9f-210d-464e-816a-12ee16dbe281_6
89276130acfc   wordpress:latest                                    "docker-entrypoint.s…"   7 days ago       Up 58 minutes   0.0.0.0:80->80/tcp, :::80->80/tcp   my_workdpress-wordpress-1
14114c317d64   mariadb:10.6.4-focal                                "docker-entrypoint.s…"   7 days ago       Up 58 minutes   3306/tcp, 33060/tcp                 my_workdpress-db-1
[root@node1 ~]# docker top 3851fc4a2715
UID                 PID                 PPID                C                   STIME               TTY                 TIME                CMD
root                17643               17622               0                   10:22               ?                   00:00:00            nginx: master process nginx -g daemon off;
101                 17681               17643               0                   10:22               ?                   00:00:00            nginx: worker process
101                 17682               17643               0                   10:22               ?                   00:00:00            nginx: worker process
101                 17683               17643               0                   10:22               ?                   00:00:00            nginx: worker process
101                 17684               17643               0                   10:22               ?                   00:00:00            nginx: worker process

可以看到一个docker容器里有4个work,说明实验成功。

还有一种方法,进入pod查看nginx.conf配置文件里的内容

[root@master secrect]# kubectl get pod -o wide
NAME                              READY   STATUS    RESTARTS   AGE   IP            NOD
sanchuang-nginx-77cdd449c-5l5wv   1/1     Running   0          18m   10.244.3.42   nod
sanchuang-nginx-77cdd449c-v58dp   1/1     Running   0          18m   10.244.1.41   nod
sanchuang-nginx-77cdd449c-xs2rx   1/1     Running   0          18m   10.244.2.24   nod
[root@master secrect]# kubectl exec -it sanchuang-nginx-77cdd449c-5l5wv -- bash
root@sanchuang-nginx-77cdd449c-5l5wv:/# cat /etc/nginx/nginx.conf
worker_processes 4;
events {
    worker_connections 2048;
}
http {
    include  mime.types;
    default_type application/octet-stream;
    sendfile  on;
    keepalive_timeout 65s;
    server {
    listen 80;
    server_name localhost;
        location / {
            root  html;
            index index.html index.htm;
        }
        error_page  500 502 503 504 /50x.html;
        location = /50x.html {
            root html;
        }
    }
}

四、实验2:步骤

描述:使用secret投射https的证书到pod里,让pod支持https的访问

1. 修改nginx.conf配置文件,添加https的支持配置

[root@master secrect]# vim nginx.conf
worker_processes 4;
events {
    worker_connections 2048;
}
http {
    include  mime.types;
    default_type application/octet-stream;
    sendfile  on;
    keepalive_timeout 65s;
    server {
    listen 80;
    server_name localhost;
        location / {
            root  html;
            index index.html index.htm;
        }
        error_page  500 502 503 504 /50x.html;
        location = /50x.html {
            root html;
        }
    }
    server {
         listen     443 sslp;
         server_name  localhost;
       
         ssl_certificate     /etc/nginx/conf.d/tls.crt;   #证书的位置,使用绝对路径
         ssl-certificate_key /etc/nginx/conf.d/tls.key;        

         ssl_session_cache      share:SSL:1m;
         ssl_session_timeout    5m;
   
         ssl_ciphers   HIGH:!aNULL:!MD5;
         ssl_prefer_server_ciphers   on;
   
         location / {
             root    html;
             index   index.html   index.htm;
         }
    }
}

2. 重新生成支持https配置的configmap,存放nginx.conf

https-nginx-1是configmap的名字

[root@master secrect]# kubectl create configmap https-nginx-1 --from-file=nginx.conf
configmap/https-nginx-1 created
[root@master secrect]# kubectl get cm
NAME                   DATA   AGE
example-redis-config   1      19h
game-config            2      19h
https-nginx-1          1      16s
kube-root-ca.crt       1      5d19h
sc-nginx-1             1      5h26m

3. 查看https-nginx-1里的具体内容是否有nginx.conf的内容

[root@master secrect]# kubectl describe configmap https-nginx-1
Name:         https-nginx-1
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
nginx.conf:
----
worker_processes 4;
events {
    worker_connections 2048;
}
http {
    include  mime.types;
    default_type application/octet-stream;
    sendfile  on;
    keepalive_timeout 65s;
    server {
    listen 80;
    server_name localhost;
        location / {
            root  html;
            index index.html index.htm;
        }
        error_page  500 502 503 504 /50x.html;
        location = /50x.html {
            root html;
        }
    }
    server {
         listen     443 sslp;
         server_name  localhost;
       
         ssl_certificate     /etc/nginx/conf.d/tls.crt;    
         ssl-certificate_key /etc/nginx/conf.d/tls.key;        

         ssl_session_cache      share:SSL:1m;
         ssl_session_timeout    5m;
   
         ssl_ciphers   HIGH:!aNULL:!MD5;
         ssl_prefer_server_ciphers   on;
   
         location / {
             root    html;
             index   index.html   index.htm;
         }
    }
}



BinaryData
====

Events:  <none>

4. 将证书的内容生成secret

确保证书文件在同目录下,8905404_sanchuangedu.cn.pem就和8905404_sanchuangedu.cn.key是证书文件

证书是需要去购买或者免费试用的,可以到阿里云或者腾讯云、华为云等平台去购买或者免费申请试用

[root@master secrect]# ls
8905404_sanchuangedu.cn.key  backup      nginx.yaml       secret.yaml
8905404_sanchuangedu.cn.pem  nginx.conf  secret-pod.yaml
[root@master secrect]# kubectl create secret tls https-secret --key 8905404_sanchuangedu.cn.key --cert 8905404_sanchuangedu.cn.pem
secret/https-secret created
[root@master secrect]# kubectl get secret
NAME                  TYPE                                  DATA   AGE
default-token-w2nj9   kubernetes.io/service-account-token   3      5d19h
https-secret          kubernetes.io/tls                     2      12s
test-secret           Opaque                                2      19h

查看https-secret里的内容

[root@master secrect]# kubectl describe secret https-secret
Name:         https-secret
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/tls

Data
====
tls.key:  1679 bytes
tls.crt:  3834 bytes

5. 启动pod使用configmap和secret里的内容

[root@master secrect]# kubectl apply -f nginx.yaml
deployment.apps/sanchuang-nginx-3 created

创建一个service把它发布出去

[root@master secrect]# vim service.yaml
apiVersion: v1
kind: Service
metadata:
  name: my-https-nginx
spec:
  type: NodePort
  ports:
  - name: http
    port: 80
    targetPort: 80
    nodePort: 30080
    protocol: TCP
  - name: https
    port: 443
    targetPort: 443
    nodePort: 30443
    protocol: TCP
  selector:
    app: sanchuang-nginx-3

验证: 用浏览器访问宿主机的30443端口

Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐