k8s资源对象(5)配置管理(configMap、secret)
一般用于去存储 Pod 中应用所需的一些配置信息,或者环境变量,将配置于 Pod 分开,避免应为修改配置导致还需要重新构建 镜像与容器。
·
1.ConfigMap
一般用于去存储 Pod 中应用所需的一些配置信息,或者环境变量,将配置于 Pod 分开,避免应为修改配置导致还需要重新构建 镜像与容器。
1.1创建ConfigMap(cm)
使用 kubectl create configmap -h 查看示例,构建 configmap 对象
Examples:
# Create a new config map named my-config based on folder bar
# 将文件夹中的所有文件都作为配置文件加载到cm中
kubectl create configmap my-config --from-file=path/to/bar
# Create a new config map named my-config with specified keys instead of file basenames on disk
kubectl create configmap my-config --from-file=key1=/path/to/bar/file1.txt --from-file=key2=/path/to/bar/file2.txt
# Create a new config map named my-config with key1=config1 and key2=config2
kubectl create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2
# Create a new config map named my-config from the key=value pairs in the file
kubectl create configmap my-config --from-file=path/to/bar
# Create a new config map named my-config from an env file
kubectl create configmap my-config --from-env-file=path/to/foo.env --from-env-file=path/to/bar.env
1.1.1从目录中加载所有配置文件
kubectl create configmap my-config --from-file=path/to/bar
#创建test目录
[root@master configmap]# mkdir -pv test
#进入目录后创建两个配置文件
[root@master configmap]# cd test/
[root@master test]# ls
db.properties redis.properties
[root@master test]# cat db.properties
username=root
password=admin
[root@master test]# cat redis.properties
host=127.0.0.1
port=6379
#回到上一级目录
cd ..
[root@master configmap]# kubectl create cm test-dir-config --from-file=test/
configmap/test-dir-config created
#创建
[root@master configmap]# kubectl create cm test-dir-config --from-file=test/
configmap/test-dir-config created
[root@master configmap]# kubectl get cm
NAME DATA AGE
kube-root-ca.crt 1 5d23h
test-dir-config 2 5s
[root@master configmap]# kubectl describe cm test-dir-config
Name: test-dir-config
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
redis.properties:
----
host=127.0.0.1
port=6379
db.properties:
----
username=root
password=admin
BinaryData
====
Events: <none>
1.1.2从指定文件中加载配置文件
kubectl create configmap my-config --from-file=key1=/path/to/bar/file1.txt --from-file=key2=/path/to/bar/file2.txt
[root@master configmap]# vim application.yaml
spring:
spring:
application:
name: test-app
server:
port: 8080
[root@master configmap]# kubectl create cm spring-boot-test-yaml --from-file=./application.yaml
[root@master configmap]# kubectl get cm
NAME DATA AGE
spring-boot-test-yaml 1 5s
[root@master configmap]# kubectl describe cm spring-boot-test-yaml
Name: spring-boot-test-yaml
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
application.yaml:
----
spring:
application:
name: test-app
server:
port: 8080
BinaryData
====
Events: <none>
1.2在pod中引用cm
1.2.1引用键值对格式
创建configmap-env-demo.yaml
---
apiVersion: v1
kind: ConfigMap
metadata:
name: demoapp-config
namespace: dev
data:
demoapp.port: "8080"
demoapp.host: 0.0.0.0
---
apiVersion: v1
kind: Pod
metadata:
name: configmap-env-demo
namespace: dev
spec:
containers:
- name: demoapp
image: nginx:1.17.1
env:
- name: TEST-PORT #指定向哪个变量赋值
valueFrom:
configMapKeyRef: #指明从configmap中指定
name: demoapp-config #指明引用的是哪个configmap
key: demoapp.port #指明键名
optional: false #false表示为必选,上面必须要定义这个键值对
- name: HOST
valueFrom:
configMapKeyRef:
name: demoapp-config
key: demoapp.host
optional: true #true表示可选,上面可以没有定义这个键值对
[root@master configmap]# kubectl apply -f configmap-env-demo.yaml
[root@master configmap]# kubectl get cm -n dev
NAME DATA AGE
demoapp-config 2 62s
[root@master configmap]# kubectl describe -n dev cm demoapp-config
Name: demoapp-config
Namespace: dev
Labels: <none>
Annotations: <none>
Data
====
demoapp.host:
----
0.0.0.0
demoapp.port:
----
8080
BinaryData
====
Events: <none>
#查看pod的环境变量
[root@master configmap]# kubectl exec -it configmap-env-demo -n dev -- printenv
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=configmap-env-demo
TERM=xterm
#可以看到引用的值
TEST-PORT=8080
HOST=0.0.0.0
1.2.2引用文件(基于存储卷的方式)
[root@master configmap]# mkdir nginx-conf.d
[root@master configmap]# ls
application.yaml configmap-env-demo.yaml configmap-volume-demo.yaml nginx-conf.d test
[root@master configmap]# cd nginx-conf.d/
[root@master nginx-conf.d]# ls
[root@master nginx-conf.d]# vim myserver.conf
server{
listen 8080;
server_name www.ik8s.io;
include /etc/nginx/conf.d/myserver-*.cfg;
location / {
root /usr/share/nginx/html;
}
}
[root@master nginx-conf.d]# vim myserver-status.cfg
location /nginx-status {
stub_status on;
access_log off;
}
[root@master configmap]# kubectl -n dev create configmap nginx-confs-files --from-file=./nginx-conf.d
configmap/nginx-confs-files created
[root@master configmap]# kubectl get cm -n dev
NAME DATA AGE
nginx-confs-files 2 6s
创建configmap-volume-demo.yaml
apiVersion: v1
kind: Pod
metadata:
name: configmap-volume-demo
namespace: dev
spec:
containers:
- name: nginx-server
image: nginx:alpine
volumeMounts:
- name: ngxconfs
mountPath: /etc/nginx/conf.d/
readOnly: true
volumes:
- name: ngxconfs
configMap:
name: nginx-confs-files #指定引用的cm名称
optional: false
测试
[root@master configmap]# kubectl apply -f configmap-volume-demo.yaml
pod/configmap-volume-demo created
[root@master configmap]# kubectl get pods -n dev -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
configmap-volume-demo 1/1 Running 0 31s 10.244.2.80 node2 <none> <none>
[root@master configmap]# curl 10.244.2.80:8080/nginx-status
Active connections: 1
server accepts handled requests
1 1 1
Reading: 0 Writing: 1 Waiting: 0
[root@master configmap]# kubectl -n dev exec -it configmap-volume-demo -- /bin/sh
/ # cd /etc/nginx/conf.d/
/etc/nginx/conf.d # ls
myserver-status.cfg myserver.conf
1.2.3引用cm中的一个配置文件
方法一:
创建configmap-volume-item1-demo.yaml
apiVersion: v1
kind: Pod
metadata:
name: configmap-volume-demo2
namespace: dev
spec:
containers:
- name: nginx-server
image: nginx:alpine
volumeMounts:
- name: ngxconfs
mountPath: /etc/nginx/conf.d/myserver-status.cfg
subPath: myserver-status.cfg #要挂载的文件,说明其中的一个
readOnly: true
volumes:
- name: ngxconfs
configMap:
name: nginx-confs-files
查看
[root@master configmap]# kubectl -n dev exec -it configmap-volume-demo2 -- bin/sh
/ # cd /etc/nginx/conf.d/
/etc/nginx/conf.d # ls
default.conf myserver-status.cfg
方法二
apiVersion: v1
kind: Pod
metadata:
name: configmap-volume-demo3
namespace: dev
spec:
containers:
- name: nginx-server
image: nginx:alpine
volumeMounts:
- name: ngxconfs
mountPath: /etc/nginx/conf.d #映射的目录
readOnly: true
volumes:
- name: ngxconfs
configMap:
name: nginx-confs-files
items:
- key: "myserver-status.cfg"
path: "myserver-status.cfg"
[root@master configmap]# kubectl -n dev exec -it configmap-volume-demo3 -- bin/sh
/ # cd /etc/nginx/conf.d/
/etc/nginx/conf.d # ls
myserver-status.cfg
2.secret
通过base64编码配置文件。
主要分成三种secret
[root@master secret]# kubectl create secret -h
Create a secret with specified type.
A docker-registry type secret is for accessing a container registry.
A generic type secret indicate an Opaque secret type.
A tls type secret holds TLS certificate and its associated key.
Available Commands:
#docker仓库类型
docker-registry Create a secret for use with a Docker registry
#通用类型
generic Create a secret from a local file, directory, or literal value
#TLS类型
tls Create a TLS secret
Usage:
kubectl create secret (docker-registry | generic | tls) [options]
2.1创建
[root@master secret]# kubectl create secret generic orig-secret --from-literal=username=admin --from-literal=password=ds@123
secret/orig-secret created
[root@master secret]# kubectl describe secret orig-secret
Name: orig-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password: 6 bytes
username: 5 bytes
最常用的是docker-registry
#创建
[root@master secret]# kubectl create secret docker-registry harbor-secret --docker-username=admin --docker-password=yunweiyanjiuseng --docker-email=yunwei@yanjiuseng.com
secret/harbor-secret created
#查看
[root@master secret]# kubectl get secrets
NAME TYPE DATA AGE
harbor-secret kubernetes.io/dockerconfigjson 1 19s
orig-secret Opaque 2 8m37s
[root@master secret]# kubectl describe se
secrets serviceaccounts services
[root@master secret]# kubectl describe secrets harbor-secret
Name: harbor-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/dockerconfigjson
Data
====
.dockerconfigjson: 166 bytes
#编辑
[root@master secret]# kubectl edit secrets harbor-secret
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
.dockerconfigjson: # 这就编码后的eyJhdXRocyI6eyJodHRwczovL2luZGV4LmRvY2tlci5pby92MS8iOnsidXNlcm5hbWUiOiJhZG1pbiIsInBhc3N3b3JkIjoieXVud2VpeWFuaml
1c2VuZyIsImVtYWlsIjoieXVud2VpQHlhbmppdXNlbmcuY29tIiwiYXV0aCI6IllXUnRhVzQ2ZVhWdWQyVnBlV0Z1YW1sMWMyVnVadz09In19fQ==
kind: Secret
metadata:
creationTimestamp: "2024-01-15T07:50:09Z"
name: harbor-secret
namespace: default
resourceVersion: "842499"
uid: 4a946043-9e37-4d04-a199-e48b19440893
type: kubernetes.io/dockerconfigjson
#base64解码查看
[root@master secret]# echo 'eyJhdXRocyI6eyJodHRwczovL2luZGV4LmRvY2tlci5pby92MS8iOnsidXNlcm5hbWUiOiJhZG1pbiIsInBhc3N3b3JkIjoieXVud2VpeWFuaml1c2VuZyIsImVtYWlsIjoieXVud2VpQHlhbmppdXNlbmcuY29tIiwiYXV0aCI6IllXUnRhVzQ2ZVhWdWQyVnBlV0Z1YW1sMWMyVnVadz09In19fQ==' | base64 --decode
{"auths":{"https://index.docker.io/v1/":{"username":"admin","password":"yunweiyanjiuseng","email":"yunwei@yanjiuseng.com","auth":"YWRtaW46eXVud2VpeWFuaml1c2VuZw=="}}}
#在配置文件中引用
定义在pod中
pod.spec.imagePullSecrets
apiVersion: v1
kind: Pod
metadata:
name: configmap-volume-demo3
namespace: dev
spce:
imagePullSecrets:
- name: harbor-secret
更多推荐
已为社区贡献8条内容
所有评论(0)