3

K8S-ConfigMap与Secret

 1 year ago
source link: https://blog.51cto.com/liqingbiao/5284274
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

K8S-ConfigMap与Secret

推荐 原创

清风明月li 2022-05-09 20:13:41 博主文章分类:Docker&K8S ©著作权

文章标签 redis docker d3 文章分类 Linux 系统/运维 阅读数252

一、ConfigMap 

1、简介

ConfigMap允许你将配置文件与镜像文件分离,以使容器化的应用程序具有可移植性。ConfigMap API给我们提供了向容器中注入配置信息的机制,ConfigMap可以被用来保存单个属性,也可以用来保存整个配置文件或者JSON二进制大对象。

data 一栏包括了配置数据,ConfigMap 可以被用来保存单个属性,也可以用来保存一个配置文件。 配置数据可以通过很多种方式在 Pods 里被使用。ConfigMaps 可以被用来:

配置数据可以通过很多种方式在Pods里被使用。ConfigMaps可以被用来:

1. 设置环境变量的值

2. 在容器里设置命令行参数

3. 在数据卷里面创建config文件

用户和系统组件两者都可以在ConfigMap里面存储配置数据。

2、创建

2.1、使用目录或文件创建 

可以使用kubectl create configmap name --from-file= 从同一个目录中的多个文件创建ConfigMap

1、下载相关的配置

wget https://kubernetes.io/examples/configmap/game.properties

wget https://kubernetes.io/examples/configmap/ui.properties

2、创建configmapconfigmap: kubectl create configmap <map-name> <data-source> --from-file可以接单个文件,也可以接目录

 ####接目录

[root@k8s-master configmap]# kubectl create configmap dame-config --from-file=./

configmap/dame-config created

####接单个文件

[root@k8s-master configmap]# kubectl create cm game-config2 --from-file=game.properties --from-file=ui.properties

configmap/game-config2 created

3、查看相关的配置

[root@k8s-master configmap]# kubectl get cm

NAME               DATA   AGE

dame-config        2      7m29s

game-config2       2      6m13s

kube-root-ca.crt   1      44d

[root@k8s-master configmap]# kubectl describe cm/dame-config

Name:         dame-config

Namespace:    default

Labels:       <none>

Annotations:  <none>

game.properties:

enemies=aliens

lives=3

enemies.cheat=true

enemies.cheat.level=noGoodRotten

secret.code.passphrase=UUDDLRLRBABAS

secret.code.allowed=true

secret.code.lives=30

ui.properties:

color.good=purple

color.bad=yellow

allow.textmode=true

how.nice.to.look=fairlyNice

Events:  <none>

[root@k8s-master configmap]# kubectl describe cm/game-config2

Name:         game-config2

Namespace:    default

Labels:       <none>

Annotations:  <none>

game.properties:

enemies=aliens

lives=3

enemies.cheat=true

enemies.cheat.level=noGoodRotten

secret.code.passphrase=UUDDLRLRBABAS

secret.code.allowed=true

secret.code.lives=30

ui.properties:

color.good=purple

color.bad=yellow

allow.textmode=true

how.nice.to.look=fairlyNice

Events:  <none>

2.2、从env文件创建

当使用多个--from-env-file来从多个数据源创建configmap时,仅仅最后一个env文件有效。

环境文件包含环境变量列表。

语法规则:

env:文件中的每一行必须为VAR = VAL格式。

      以#开头的行(即注释)将被忽略。

     空行将被忽略。

     引号没有特殊处理(即它们将成为 ConfigMap 值的一部分)。

Makefile

1、下载对应的测试文件

wget https://kubernetes.io/examples/configmap/game-env-file.properties

[root@k8s-master configmap]# cat game-env-file.properties

enemies=aliens

lives=3

allowed="true"

2、创建config-map-env-file配置文件

[root@k8s-master configmap]# kubectl create configmap game-config-env-file --from-env-file=game-env-file.properties

configmap/game-config-env-file created

[root@k8s-master configmap]# kubectl get cm/game-config-env-file -o yaml

apiVersion: v1

data:

  allowed: '"true"'

  enemies: aliens

  lives: "3"

kind: ConfigMap

metadata:

  creationTimestamp: "2022-05-09T02:42:04Z"

  name: game-config-env-file

  namespace: default

  resourceVersion: "11386444"

  uid: 8b1ad825-d3b1-481f-b3b7-8ce606aec388

2.3、命令创建

Kubectl create configmap 与--from-literal参数一起使用

1、创建配置文件

[root@k8s-master configmap]# kubectl create configmap special-config --from-literal=special.how=very --from-literal=special.type=charm

configmap/special-config created

2、查看和配置

[root@k8s-master configmap]# kubectl get cm

NAME                   DATA   AGE

dame-config            2      30m

game-config-env-file   3      9m43s

game-config2           2      28m

kube-root-ca.crt       1      44d

special-config         2      3s

[root@k8s-master configmap]# kubectl get configmap/special-config -o yaml

apiVersion: v1

data:

  special.how: very

  special.type: charm

kind: ConfigMap

metadata:

  creationTimestamp: "2022-05-09T02:51:44Z"

  name: special-config

  namespace: default

  resourceVersion: "11388285"

  uid: 60d2ca2e-b50f-48a8-910b-c97d4ecb5c9e

2.4、生成器创建

使用 kustomization 目录创建 ConfigMap 对象

[root@k8s-master configmap]# cat kustomization.yaml

configMapGenerator:

- name: game-config-4

  files:

  - game.properties

[root@k8s-master configmap]# kubectl create -k .

configmap/game-config-4-tbg7c4gc77 created

[root@k8s-master configmap]# kubectl get configmap/game-config-4-tbg7c4gc77 -o yaml

apiVersion: v1

data:

  game.properties: |-

    enemies=aliens

    lives=3

    enemies.cheat=true

    enemies.cheat.level=noGoodRotten

    secret.code.passphrase=UUDDLRLRBABAS

    secret.code.allowed=true

    secret.code.lives=30

kind: ConfigMap

metadata:

  creationTimestamp: "2022-05-09T02:58:42Z"

  name: game-config-4-tbg7c4gc77

  namespace: default

  resourceVersion: "11389637"

  uid: 5e82a50f-f933-4c20-8007-0724a6829d7c

或者也可以使用生成器来实现。

cat <<EOF >./kustomization.yaml

configMapGenerator:

- name: special-config-2

  literals:

  - special.how=very

  - special.type=charm

3、使用

3.1、env

使用 configMapKeyRef 传入值:

[root@k8s-master configmap]# cat configmap-env.yaml

apiVersion: v1

data:

  special.how: very

  special.type: charm

kind: ConfigMap

metadata:

  name: special-config

apiVersion: v1

kind: Pod

metadata:

  name: dapi-test-pod

spec:

  containers:

    - name: test-container

      image: busybox

      command: [ "/bin/sh", "-c", "env" ]

        - name: SPECIAL_LEVEL_KEY

          valueFrom:

            configMapKeyRef:

              name: special-config

              key: special.how

  restartPolicy: Never

2、创建pod

[root@k8s-master configmap]# kubectl apply -f configmap-env.yaml

configmap/special-config created

pod/dapi-test-pod created

[root@k8s-master configmap]# kubectl get pod

NAME                                READY   STATUS      RESTARTS   AGE

centos                              1/1     Running     0          21h

dapi-test-pod                       0/1     Completed   0          30s 

3、查看日志

[root@k8s-master configmap]# kubectl logs dapi-test-pod |grep -i special

SPECIAL_LEVEL_KEY=very

上述yaml表示,新建一个名为SPECIAL_LEVEL_KEY的环境变量,其值来源于configMap里面的special.how

 上一个例子是有指定一个具体的KEY,如果没有指定呢?

1、创建yaml

[root@k8s-master configmap]# cat configmap-env-no-key.yaml

apiVersion: v1

kind: Pod

metadata:

  name: dapi-test-pod2

spec:

  containers:

    - name: test-container

      image: busybox

      command: [ "/bin/sh", "-c", "env" ]

      envFrom:

      - configMapRef:

          name: special-config

  restartPolicy: Never

 2、创建pod

 [root@k8s-master configmap]# kubectl apply -f configmap-env-no-key.yaml

pod/dapi-test-pod2 created

3、查看日志

[root@k8s-master configmap]# kubectl logs dapi-test-pod2|grep -i special

special.type=charm

special.how=very

3.2、挂载文件目录法(可以使用 volumeMounts 方法进行挂载。)

1、创建pod的yml文件

[root@k8s-master configmap]# cat configmap-volumemounts.yaml

apiVersion: v1

kind: Pod

metadata:

  name: dapi-test-pod3

spec:

  containers:

    - name: test-container

      image: busybox

      command: [ "/bin/sh", "-c", "ls /etc/config/;cat /etc/config/special.how;cat /etc/config/special.type" ]

      volumeMounts:

      - name: config-volume

        mountPath: /etc/config

  volumes:

    - name: config-volume

      configMap:

        name: special-config

  restartPolicy: Never

2、创建pod并查看日志

[root@k8s-master configmap]# kubectl apply -f configmap-volumemounts.yaml

pod/dapi-test-pod3 created

[root@k8s-master configmap]# kubectl logs dapi-test-pod3

special.how

special.type

上述yaml表示将special-config这个cm挂载至/etc/config目录下。可以看到,

其每一个KEY都是会生成一个文件,文件的内容为value的值。 

挂载单独的KEY:

[root@k8s-master configmap]# cat configmap-volumemounts-spec-key.yaml

apiVersion: v1

kind: Pod

metadata:

  name: dapi-test-pod4

spec:

  containers:

    - name: test-container

      image: busybox

      command: [ "/bin/sh","-c","cat /etc/config/keys;sleep 600" ]

      volumeMounts:

      - name: config-volume

        mountPath: /etc/config

  volumes:

    - name: config-volume

      configMap:

        name: special-config

        items:

        - key: name.li

          path: keys

  restartPolicy: Never

[root@k8s-master configmap]# kubectl exec -it  dapi-test-pod4 /bin/sh

kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.

/ # cat /etc/config/keys

lqb/ #

[root@k8s-master ~]#  kubectl exec -it  dapi-test-pod4 -- cat /etc/config/keys

very20220509 

4、ConfigMap热更新的问题

Pod的 dapi-test-pod4保持运行。使用 kubectl edit cm special-config 去修改special.how的值。可以发现是可以更新的,但时间要超过30S。

CoffeeScript

[root@k8s-master ~]#  kubectl exec -it  dapi-test-pod4 -- cat /etc/config/keys

very20220509[root@k8s-master ~]#  kubectl exec -it  dapi-test-pod4 -- cat /etc/config/keys

very20220510[root@k8s-master ~]#  kubectl exec -it  dapi-test-pod4 -- cat /etc/config/keys

注意:使用volumes挂载的方式是可以更新configMap的,但是使用env方式导给POD是更新不了的。

5、使用ConfigMap挂载redis配置

1、相关的配置文件

[root@k8s-master configmap-redis]# cat kustomization.yaml

configMapGenerator:

- name: test-redis-config

  files:

  - redis-config

resources:

- redis-pod.yaml

[root@k8s-master configmap-redis]# cat redis-config

maxmemory 2mb

maxmemory-policy allkeys-lru

[root@k8s-master configmap-redis]# cat redis-pod.yaml

apiVersion: v1

kind: Pod

metadata:

  name: redis

spec:

  containers:

  - name: redis

    image: redis:5.0.4

    command:

      - redis-server

      - "/redis-master/redis.conf"

    - name: MASTER

      value: "true"

    ports:

    - containerPort: 6379

    resources:

      limits:

        cpu: "0.1"

    volumeMounts:

    - mountPath: /redis-master-data

      name: data

    - mountPath: /redis-master

      name: config

  volumes:

    - name: data

      emptyDir: {}

    - name: config

      configMap:

        name: test-redis-config

        items:

        - key: redis-config

          path: redis.conf

2、批量执行该文件

[root@k8s-master configmap-redis]# kubectl apply -k .

configmap/test-redis-config-hfbhg9b679 created

pod/redis created

[root@k8s-master ~]# kubectl describe  cm/test-redis-config-hfbhg9b679

Name:         test-redis-config-hfbhg9b679

Namespace:    default

Labels:       <none>

Annotations:  <none>

redis-config:

maxmemory 2mb

maxmemory-policy allkeys-lru

Events:  <none>

 3、查看相关的配置

 [root@k8s-master ~]# kubectl exec -it redis redis-cli

kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.

127.0.0.1:6379> CONFIG GET maxmemory

1) "maxmemory"

2) "2097152"

127.0.0.1:6379> CONFIG GET maxmemory-policy

1) "maxmemory-policy"

2) "allkeys-lru"

127.0.0.1:6379> exit

[root@k8s-master ~]# kubectl exec -it redis /bin/bash

kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.

root@redis:/data# cat /redis-master/redis.conf

maxmemory 2mb

maxmemory-policy allkeys-lru         

二、Secret

2.1、简介

Secret 解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者 Pod Spec 中。Secret 可以以 Volume 或者环境变量的方式使用。

Secret 有三种类型:

Service Account :用来访问 Kubernetes API,由 Kubernetes 自动创建,并且会自动挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目录中;

Opaque :base64 编码格式的 Secret,用来存储密码、密钥等;

kubernetes.io/dockerconfigjson :用来存储私有 docker registry 的认证信息。

2.2、Secret类型

2.2.1、Opaque类型

Opaque类型的数据是一个map类型,要求value是base64编码格式,如果您使用的密码具有特殊字符,则需要使用 \\ 字符对其进行转义。

文件创建

[root@k8s-master secret]# echo -n 'admin' > ./username.txt

[root@k8s-master secret]# echo -n '1f2d1e2e67df' > ./password.txt

[root@k8s-master secret]# kubectl create secret generic db-user-pass --from-file=username.txt --from-file=password.txt

secret/db-user-pass created

[root@k8s-master secret]# kubectl create secret generic db-user-pass --from-file=username.txt --from-file=password.txt -o yaml --dry-run

W0509 16:44:01.992251    9057 helpers.go:557] --dry-run is deprecated and can be replaced with --dry-run=client.

apiVersion: v1

data:

  password.txt: MWYyZDFlMmU2N2Rm

  username.txt: YWRtaW4=

kind: Secret

metadata:

  creationTimestamp: null

  name: db-user-pass

默认情况下,kubectl get 和 kubectl describe 是不会显示密码的内容。 这是为了防止机密被意外地暴露给旁观者或存储在终端日志中。

手工创建

Makefile

[root@k8s-master secret]# echo  -n 'admin'|base64

YWRtaW4=

[root@k8s-master secret]# echo -n '1f2d1e2e3e567f'|base64

MWYyZDFlMmUzZTU2N2Y=

[root@k8s-master secret]# cat sg-secret.yaml

apiVersion: v1

kind: Secret

metadata:

  name: mysecret

type: Opaque

data:

  username: YWRtaW4=

  password: MWYyZDFlMmUzZTU2N2Y=

[root@k8s-master secret]# kubectl apply -f sg-secret.yaml

secret/mysecret created

#####加密整个配置文件

[root@k8s-master secret]# cat stringData.yml

apiVersion: v1

kind: Secret

metadata:

  name: mysecret

type: Opaque

stringData:

  config.yaml: |-

    apiUrl: "https://my.api.com/api/v1"

    username: admin

    password: 1f2d1e2e67df

root@k8s-master secret]# kubectl get secret

NAME                  TYPE                                  DATA   AGE

db-user-pass          Opaque                                2      59m

default-token-kmq6s   kubernetes.io/service-account-token   3      45d

mysecret              Opaque                                1      58s

[root@k8s-master secret]# kubectl get secrets mysecret -o yaml

apiVersion: v1

data:

  config.yaml: YXBpVXJsOiAiaHR0cHM6Ly9teS5hcGkuY29tL2FwaS92MSIKdXNlcm5hbWU6IGFkbWluCnBhc3N3b3JkOiAxZjJkMWUyZTY3ZGY=

kind: Secret

metadata:

  annotations:

    kubectl.kubernetes.io/last-applied-configuration: |

      {"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"mysecret","namespace":"default"},"stringData":{"config.yaml":"apiUrl: \"https://my.api.com/api/v1\"\nusername: admin\npassword: 1f2d1e2e67df"},"type":"Opaque"}

  creationTimestamp: "2022-05-09T09:41:51Z"

  name: mysecret

  namespace: default

  resourceVersion: "11466379"

  uid: 6f69ec7c-3b0e-40f3-86bd-aea262c3483e

type: Opaque   

2.2.2、 kubernetes.io/dockerconfigjson

可以直接用 kubectl 命令来创建用于 docker registry 认证的 secret:

CoffeeScript

[root@k8s-master secret]# kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL

secret/myregistrykey created

[root@k8s-master secret]# kubectl get secret/myregistrykey  -owide

NAME            TYPE                             DATA   AGE

myregistrykey   kubernetes.io/dockerconfigjson   1      28s

[root@k8s-master secret]# kubectl describe secret/myregistrykey 

Name:         myregistrykey

Namespace:    default

Labels:       <none>

Annotations:  <none>

Type:  kubernetes.io/dockerconfigjson

.dockerconfigjson:  161 bytes

2.2.3、Service Account

用于被serviceaccount引用。serviceaccout创建时Kubernetes会默认创建对应的secret。Pod如果使用了serviceaccount,对应的secret会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount目录中。

Secret 是一种包含少量敏感信息例如密码、token 或 key 的对象。这样的信息可能会被放在 Pod spec 中或者镜像中;将其放在一个 secret 对象中可以更好地控制它的用途,并降低意外暴露的风险。

Service Account 用来访问 Kubernetes API,由 Kubernetes 自动创建,并且会自动挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目录中。

[root@k8s-master secret]#  kubectl run nginx --image nginx

pod/nginx created

[root@k8s-master secret]#  kubectl exec nginx ls /run/secrets/kubernetes.io/serviceaccount

kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.

ca.crt

namespace

token

2.3、使用方法

Secret 可以作为数据卷被挂载,或作为环境变量暴露出来以供 pod 中的容器使用。它们也可以被系统的其他部分使用,而不直接暴露在 pod 内。例如,它们可以保存凭据,系统的其他部分应该用它来代表您与外部系统进行交互。

volume挂载法

[root@k8s-master secret]# cat pod-volume-secrets.yaml

apiVersion: v1

kind: Pod

metadata:

  name: dapi-test-pod

spec:

  containers:

    - name: test-container

      image: busybox

      command: [ "/bin/sh","-c","cat /etc/config/keys;sleep 600" ]

      volumeMounts:

      - name: config-volume

        mountPath: /etc/config

  volumes:

    - name: config-volume

      secret:

        secretName: mysecret

  restartPolicy: Never

[root@k8s-master secret]# kubectl apply -f pod-volume-secrets.yaml

pod/dapi-test-pod created

[root@k8s-master secret]# kubectl exec -it  dapi-test-pod -- cat /etc/config/config.yaml

apiUrl: "https://my.api.com/api/v1"

username: admin

password: 1f2d1e2e67df

将单独的key指定到目录下

[root@master Secret]# cat pod-volume-secrets2.yaml

apiVersion: v1

kind: Pod

metadata:

  name: dapi-test-pod

spec:

  containers:

    - name: test-container

      image: busybox

      command: [ "/bin/sh","-c","cat /etc/config/keys;sleep 600" ]

      volumeMounts:

      - name: config-volume

        mountPath: /etc/config

  volumes:

    - name: config-volume

      secret:

        secretName: db-user-pass

        items:

        - key: username.txt

          path: my-group/my-username

  restartPolicy: Never

[root@master Secret]# kubectl apply -f pod-volume-secrets2.yaml

pod/dapi-test-pod created

[root@master Secret]# kubectl exec -it dapi-test-pod -- cat /etc/config/my-group/my-username

admin[root@master Secret]#

环境变量引用

[root@k8s-master secret]# cat pod-env-secrets.yaml

apiVersion: v1

kind: Pod

metadata:

  name: dapi-test-pod3

spec:

  containers:

    - name: test-container

      image: busybox

      command: [ "/bin/sh","-c","env;echo ${SECRET_USERNAME} ${SECRET_PASSWORD}" ]

      - name: SECRET_USERNAME

        valueFrom:

          secretKeyRef:

            name: db-user-pass

            key: username.txt

      - name: SECRET_PASSWORD

        valueFrom:

          secretKeyRef:

            name: db-user-pass

            key: password.txt

  restartPolicy: Never

  [root@k8s-master secret]# kubectl apply -f pod-env-secrets.yaml

pod/dapi-test-pod3 created

[root@k8s-master secret]#  kubectl logs dapi-test-pod3 |egrep "admin|SECRET"

SECRET_PASSWORD=1f2d1e2e67df

SECRET_USERNAME=admin

admin 1f2d1e2e67df

Secrets其用法是跟ConfigMap基本上是一致,区别不同是ConfigMap是明文,而Secrets是经过base64加密过的。


About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK