在kubernetes中,为了给服务增加配置信息,需要用到kubernetes中的secrets和configmap,两者在使用上都是为了给服务提供配置信息,比如部署了一个nginx服务,但是nginx服务里的nginx.conf文件需要根据自己的需求做相应的修改,可以在生成基础镜像的时候把配置文件拷贝到镜像里,不过如果配置文件不可用就需要重新生成镜像,但是如果通过secrets或者configmap,就不需要了,直接修改配置文件,重新部署一下服务即可。
ConfigMap的使用
configmap通常会用在一些配置文件中使用,在k8s中,如果服务启动的时候需要一些连接信息,如果放在configmap中在应用启动时会被系统变量代替,看下面的例子:
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# cat web.properfile WEB_SEC_SERVICE_PORT=80 WEB_SEC_SERVICE_HOST=127.0.0.1 WEB_SEC_SERVICE_USER=wulaoer WEB_SEC_SERVICE_PASSWORD=wulaoer.org [wolf@wulaoer.org🔥🔥🔥🔥 configmap]# cat server.properfile SERVER_NAME_PORT=8080 SERVER_NAME_HOST=127.0.0.1 SERVER_NAME_USER=wulaoer.org SERVER_NAME_PASSWORD=wulaoer.org
创建configmap对象
创建对象,并使用describe和get方式查看
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# kubectl create configmap wulaoer-config --from-file=/root/k8s/ops/configmap/
configmap/wulaoer-config created
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# kubectl get configmaps
NAME DATA AGE
ceph-delete-bucket 5 119d
istio-ca-root-cert 1 138d
kube-root-ca.crt 1 138d
wulaoer-config 3 10s
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# kubectl describe configmaps wulaoer-config
Name: wulaoer-config
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
web.properfile:
----
WEB_SEC_SERVICE_PORT=80
WEB_SEC_SERVICE_HOST=127.0.0.1
WEB_SEC_SERVICE_USER=wulaoer
WEB_SEC_SERVICE_PASSWORD=wulaoer.org
server.properfile:
----
SERVER_NAME_PORT=8080
SERVER_NAME_HOST=127.0.0.1
SERVER_NAME_USER=wulaoer.org
SERVER_NAME_PASSWORD=wulaoer.org
Events: <none>
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# kubectl get configmaps wulaoer-config -o yaml
apiVersion: v1
data:
server.properfile: |
SERVER_NAME_PORT=8080
SERVER_NAME_HOST=127.0.0.1
SERVER_NAME_USER=wulaoer.org
SERVER_NAME_PASSWORD=wulaoer.org
web.properfile: |
WEB_SEC_SERVICE_PORT=80
WEB_SEC_SERVICE_HOST=127.0.0.1
WEB_SEC_SERVICE_USER=wulaoer
WEB_SEC_SERVICE_PASSWORD=wulaoer.org
kind: ConfigMap
metadata:
creationTimestamp: "2022-06-08T08:18:23Z"
name: wulaoer-config
namespace: default
resourceVersion: "236128284"
uid: 33dc6ad5-b30c-4254-a64c-5b994ab92ba4
使用文件创建configmap
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# kubectl create configmap wulaoer-config-2 --from-file=/root/k8s/ops/configmap/web.properfile
configmap/wulaoer-config-2 created
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# kubectl get configmaps wulaoer-config-2 -o yaml
apiVersion: v1
data:
web.properfile: |
WEB_SEC_SERVICE_PORT=80
WEB_SEC_SERVICE_HOST=127.0.0.1
WEB_SEC_SERVICE_USER=wulaoer
WEB_SEC_SERVICE_PASSWORD=wulaoer.org
kind: ConfigMap
metadata:
creationTimestamp: "2022-06-08T08:20:43Z"
name: wulaoer-config-2
namespace: default
resourceVersion: "236133405"
uid: eb5b14dc-27fc-4a6e-9281-8c8f41c92a87
--from-file可以使用多次,指定多个文件
使用命令行创建
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# kubectl create configmap wulaoer-config-3 --from-literal=WEB_SEC_SERVICE_PORT=80 --from-literal=WEB_SEC_SERVICE_HOST=127.0.0.1 --from-literal=WEB_SEC_SERVICE_USER=wulaoer --from-literal=WEB_SEC_SERVICE_PASSWORD=wulaoer.org configmap/wulaoer-config-3 created [wolf@wulaoer.org🔥🔥🔥🔥 configmap]# kubectl get configmaps wulaoer-config-3 -o yaml apiVersion: v1 data: WEB_SEC_SERVICE_HOST: 127.0.0.1 WEB_SEC_SERVICE_PASSWORD: wulaoer.org WEB_SEC_SERVICE_PORT: "80" WEB_SEC_SERVICE_USER: wulaoer kind: ConfigMap metadata: creationTimestamp: "2022-06-08T08:25:28Z" name: wulaoer-config-3 namespace: default resourceVersion: "236143494" uid: 0b7e8e26-d125-470f-964b-5ebc64e87661
--from-literal可以多次使用,指定多个值
使用configmap来填充环境变量
使用上面wulaoer-config-3的configmap来充当pod变量
[root@ali-bj-ops-h-jump configmap]# cat works.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: works
labels:
app: works
spec:
replicas: 1
selector:
matchLabels:
app: works
template:
metadata:
labels:
app: works
spec:
terminationGracePeriodSeconds: 30
containers:
- image: nginx
imagePullPolicy: Always
name: works
env:
- name: WEB_SEC_SERVICE_HOST
valueFrom:
configMapKeyRef:
name: wulaoer-config-3
key: WEB_SEC_SERVICE_HOST
- name: WEB_SEC_SERVICE_PASSWORD
valueFrom:
configMapKeyRef:
name: wulaoer-config-3
key: WEB_SEC_SERVICE_PASSWORD
envFrom:
- configMapRef:
name: wulaoer-config-3
---
apiVersion: v1
kind: Service
metadata:
labels:
app: works
name: works
spec:
ports:
- name: works
port: 80
protocol: TCP
targetPort: 80
selector:
app: works
type: ClusterIP
pod的yaml文件内容,创建pod,并查看pod变量
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# kubectl apply -f works.yaml deployment.apps/works configured service/works unchanged [wolf@wulaoer.org🔥🔥🔥🔥 configmap]# kubectl exec works-56b4f58468-mxdxb -- printenv | grep WEB WEB_SEC_SERVICE_USER=wulaoer WEB_SEC_SERVICE_HOST=127.0.0.1 WEB_SEC_SERVICE_PORT=80 WEB_SEC_SERVICE_PASSWORD=wulaoer.org
使用configmap设置命令行参数
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# cat works.yaml
.......................................
env:
- name: WEB_SEC_SERVICE_HOST
valueFrom:
configMapKeyRef:
name: wulaoer-config-3
key: WEB_SEC_SERVICE_HOST
- name: WEB_SEC_SERVICE_PASSWORD
valueFrom:
configMapKeyRef:
name: wulaoer-config-3
key: WEB_SEC_SERVICE_PASSWORD
.......................................
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# kubectl exec works-54f86d9797-r85js -- printenv | grep WEB
WEB_SEC_SERVICE_HOST=127.0.0.1
WEB_SEC_SERVICE_PASSWORD=wulaoer.org
[root@ali-bj-ops-h-jump configmap]# cat works.yaml
.......................................
envFrom:
- configMapRef:
name: wulaoer-config-3
.......................................
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# kubectl exec works-c6d5fb657-7hctg -- printenv | grep WEB
WEB_SEC_SERVICE_USER=wulaoer
WEB_SEC_SERVICE_HOST=127.0.0.1
WEB_SEC_SERVICE_PORT=80
WEB_SEC_SERVICE_PASSWORD=wulaoer.org
通过数据卷使用configmap
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# cat works.yaml
.......................................
spec:
volumes:
- name: config-volume
configMap:
name: wulaoer-config-2
terminationGracePeriodSeconds: 30
containers:
- image: nginx
imagePullPolicy: Always
name: works
volumeMounts:
- name: config-volume
mountPath: /etc/config
.......................................
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# kubectl apply -f works.yaml
deployment.apps/works configured
service/works unchanged
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# kubectl exec works-7cd9b4f496-6sjpl -- printenv | grep WEB
WEB_SEC_SERVICE_PASSWORD=wulaoer.org
WEB_SEC_SERVICE_PORT=80
WEB_SEC_SERVICE_USER=wulaoer
WEB_SEC_SERVICE_HOST=127.0.0.1
注意,当 ConfigMap 以数据卷的形式挂载进 Pod 的时,这时更新 ConfigMap(或删掉重建ConfigMap),Pod 内挂载的配置信息会热更新。这时可以增加一些监测配置文件变更的脚本,然后重新加载对应服务就可以实现应用的热更新。
Secret的使用
secret是用来保护敏感信息的,比如一些敏感的信息不希望在日志中出现,可以利用secret来存储,例如:OAuth令牌和ssh key等等,将信息放到secret中比放到pod中或者dokcer镜像中更安全和灵活。其中Opaque是secret的一种,而且Opaque是base64密码格式的secret,用来存储密码,密钥等,也可以通过base64 -ddecode解码,加密性很弱。
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# echo -n "wulaoer.org" | base64 d3VsYW9lci5vcmc= [wolf@wulaoer.org🔥🔥🔥🔥 configmap]# echo -n "www.wulaoer.org" | base64 d3d3Lnd1bGFvZXIub3Jn [wolf@wulaoer.org🔥🔥🔥🔥 configmap]# cat secret.yaml apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: wulaoeruser: d3VsYW9lci5vcmc= wulaoerpd: d3d3Lnd1bGFvZXIub3Jn [wolf@wulaoer.org🔥🔥🔥🔥 configmap]# kubectl apply -f secret.yaml secret/mysecret created
先创建个secret,在yaml中,编码必须使用加密后编写,并创建secret。
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# kubectl describe secrets mysecret
Name: mysecret
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password: 15 bytes
username: 11 bytes
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# kubectl get secrets mysecret -o yaml
apiVersion: v1
data:
wulaoerpd: d3d3Lnd1bGFvZXIub3Jn
wulaoeruser: d3VsYW9lci5vcmc=
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"wulaoerpd":"d3d3Lnd1bGFvZXIub3Jn","wulaoeruser":"d3VsYW9lci5vcmc="},"kind":"Secret","metadata":{"annotations":{},"name":"mysecret","namespace":"default"},"type":"Opaque"}
creationTimestamp: "2022-06-10T06:35:28Z"
name: mysecret
namespace: default
resourceVersion: "242847590"
uid: 46223f7e-480e-4788-8bb7-be173b7fe5c4
type: Opaque
secret查看方法,和configmap一样,describe查看不全可以使用get查看。
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# vim works.yaml
....................................
terminationGracePeriodSeconds: 30
containers:
- image: nginx
imagePullPolicy: Always
name: works
env:
- name: WULAOERUSER
valueFrom:
secretKeyRef:
name: mysecret
key: wulaoeruser
- name: WULAOERPD
valueFrom:
secretKeyRef:
name: mysecret
key: wulaoerpd
....................................
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# kubectl exec works-5c88dcb577-8t277 -- printenv | grep WULAOER
WULAOERUSER=wulaoer.org
WULAOERPD=www.wulaoer.org
创建pod,并查看pod的环境变量,已经在pod里了。
通过数据卷使用secret
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# vim works.yaml
....................................
terminationGracePeriodSeconds: 30
containers:
- image: nginx
imagePullPolicy: Always
name: works
volumeMounts:
- name: secrets
mountPath: /etc/secrets
volumes:
- name: secrets
secret:
secretName: mysecret
....................................
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# kubectl exec -it works-5699b45459-hqq5n /bin/bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@works-5699b45459-hqq5n:/# cat /etc/secrets/wulaoeruser
wulaoer.orgroot@works-5699b45459-hqq5n:/# cat /etc/secrets/wulaoerpd
www.wulaoer.orgroot@works-5699b45459-hqq5n:/#
通过命令创建secret对象
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# kubectl create secret docker-registry wulaoer-qa-image --docker-server=http://192.168.166.229 --docker-username=admin --docker-password=harbor123 --docker-email=test@163.com secret/wulaoer-qa-image created [root@ali-bj-ops-h-jump configmap]# kubectl get secrets NAME TYPE DATA AGE mysecret Opaque 2 22m wulaoer-qa-image kubernetes.io/dockerconfigjson 1 8s
查看secret信息,利用base64 -d解密
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# kubectl get secrets wulaoer-qa-image -o yaml
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyJodHRwOi8vMTkyLjE2OC4xNjYuMjI5Ijp7InVzZXJuYW1lIjoiYWRtaW4iLCJwYXNzd29yZCI6ImhhcmJvcjEyMyIsImVtYWlsIjoidGVzdEAxNjMuY29tIiwiYXV0aCI6IllXUnRhVzQ2YUdGeVltOXlNVEl6In19fQ==
kind: Secret
metadata:
creationTimestamp: "2022-06-10T06:57:33Z"
name: wulaoer-qa-image
namespace: default
resourceVersion: "242901378"
uid: df838e85-0a64-42d4-a923-3d126b41a31f
type: kubernetes.io/dockerconfigjson
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# echo eyJhdXRocyI6eyJodHRwOi8vMTkyLjE2OC4xNjYuMjI5Ijp7InVzZXJuYW1lIjoiYWRtaW4iLCJwYXNzd29yZCI6ImhhcmJvcjEyMyIsImVtYWlsIjoidGVzdEAxNjMuY29tIiwiYXV0aCI6IllXUnRhVzQ2YUdGeVltOXlNVEl6In19fQ== | base64 -d
{"auths":{"http://192.168.166.229":{"username":"admin","password":"harbor123","email":"test@163.com","auth":"YWRtaW46aGFyYm9yMTIz"}}}[root@ali-bj-ops-h-jump configmap]#
[wolf@wulaoer.org🔥🔥🔥🔥 configmap]# vim works.yaml
....................................
terminationGracePeriodSeconds: 30
containers:
- image: nginx
imagePullPolicy: Always
name: works
volumeMounts:
- name: secrets
mountPath: /etc/secrets
volumes:
- name: secrets
secret:
secretName: mysecret
imagePullSecrets:
- name: wulaoer-qa-image
....................................
主要是在拉取私有镜像的时候需要用到,这里的secret就是镜像仓库的认证信息,最基本的账号密码,镜像地址,一般使用阿里云的私有镜像仓库也是一样的,也需要认证,但是镜像认证密码和子账号密码不一样。
secret和ConfigMap的区别
ConfigMap使用场景:
-
-
通过在pod的命令行下运行的方式(启动命令中)
-
secret使用场景:
- 通过base64加密的方式,在日志中不显示铭文
- 主要保存一些铭感信息
相同点:
key/value的形式
属于某个特定的命名空间
可以导出到环境变量
可以通过目录/文件形式挂载
通过 volume 挂载的配置信息均可热更新
不同点:
Secret 可以被 ServerAccount 关联
Secret 可以存储 docker register 的鉴权信息,用在 ImagePullSecret 参数中,用于拉取私有仓库的镜像
Secret 支持 Base64 加密
Secret 分为 kubernetes.io/service-account-token、kubernetes.io/dockerconfigjson、Opaque 三种类型,而 Configmap 不区分类型
您可以选择一种方式赞助本站
支付宝扫一扫赞助
微信钱包扫描赞助
赏