飞天使-k8s基础组件分析-配置和密钥管理

configmap 详解

configmap的作用是什么？
答: pod 中的配置文件分离开来如何将配置文件中key 转换成configmap 呢？ 
[root@k8s-01 chapter08]# cat ui.properties 
color.good=purple
color.bad=yellow
allow.textmode=true
how.nice.to.look=fairlyNice[root@k8s-01 chapter08]# cat game.properties 
enemies=aliens
lives=3
enemies.cheat=true
enemies.cheat.level=noGoodRotten
secret.code.passphrase=UUDDLRLRBABAS
secret.code.allowed=true
secret.code.lives=30创建configmap
kubectl create configmap game-config --from-file=game.properties  --from-file=ui.properties 查看创建后信息
[root@k8s-01 chapter08]# kubectl describe configmap game-config
Name:         game-config
Namespace:    default
Labels:       <none>
Annotations:  <none>Data
====
game.properties:
----
enemies=aliens
lives=3
enemies.cheat=true
enemies.cheat.level=noGoodRotten
secret.code.passphrase=UUDDLRLRBABAS
secret.code.allowed=true
secret.code.lives=30
ui.properties:
----
color.good=purple
color.bad=yellow
allow.textmode=true
how.nice.to.look=fairlyNice
Events:  <none>
[root@k8s-01 chapter08]# kubectl get configmap
NAME          DATA   AGE
game-config   2      3m18s[root@k8s-01 chapter08]# kubectl get configmap game-config -o yaml
apiVersion: v1
data:game.properties: |-enemies=alienslives=3enemies.cheat=trueenemies.cheat.level=noGoodRottensecret.code.passphrase=UUDDLRLRBABASsecret.code.allowed=truesecret.code.lives=30ui.properties: |-color.good=purplecolor.bad=yellowallow.textmode=truehow.nice.to.look=fairlyNice
kind: ConfigMap
metadata:creationTimestamp: "2023-08-25T04:17:47Z"managedFields:- apiVersion: v1fieldsType: FieldsV1fieldsV1:f:data:.: {}f:game.properties: {}f:ui.properties: {}manager: kubectloperation: Updatetime: "2023-08-25T04:17:47Z"name: game-confignamespace: defaultresourceVersion: "739950"selfLink: /api/v1/namespaces/default/configmaps/game-configuid: c0dac33b-5f6c-4647-a18e-dc3432093fca创建键值
[root@k8s-01 chapter08]# kubectl  create configmap special-config --from-literal=special.how=very --from-literal=special.type=charm
configmap/special-config created
[root@k8s-01 chapter08]# kubectl get configmap 
NAME             DATA   AGE
game-config      2      13m
special-config   2      14s
[root@k8s-01 chapter08]# kubectl describe special-config
error: the server doesn't have a resource type "special-config"
[root@k8s-01 chapter08]# kubectl describe configmap special-config
Name:         special-config
Namespace:    default
Labels:       <none>
Annotations:  <none>Data
====
special.how:
----
very
special.type:
----
charm
Events:  <none>[root@k8s-01 chapter08]# kubectl get configmap -o=yaml
apiVersion: v1
items:
- apiVersion: v1data:special.how: verykind: ConfigMapmetadata:creationTimestamp: "2023-08-25T04:33:07Z"managedFields:- apiVersion: v1fieldsType: FieldsV1fieldsV1:f:data:.: {}f:special.how: {}manager: kubectloperation: Updatetime: "2023-08-25T04:33:07Z"name: special-confignamespace: defaultresourceVersion: "742522"selfLink: /api/v1/namespaces/default/configmaps/special-configuid: 75ae4409-5d05-4cff-ae0e-2181f06295d1
kind: List
metadata:resourceVersion: ""selfLink: ""pod中如何引用刚刚创建好的key 呢？ 
下面的pod是引用了刚刚创建的configmap
[root@k8s-01 chapter08]# cat pod-single-configmap-env-variable.yaml 
apiVersion: v1
kind: Pod
metadata:name: dapi-test-pod
spec:containers:- name: test-containerimage: busyboxcommand: [ "/bin/sh", "-c", "env" ]env:# Define the environment variable- name: SPECIAL_LEVEL_KEYvalueFrom:configMapKeyRef:# The ConfigMap containing the value you want to assign to SPECIAL_LEVEL_KEYname: special-config# Specify the key associated with the valuekey: special.howrestartPolicy: NeverSPECIAL_LEVEL_KEY=very
NGINX_SERVICE_PORT=80
NGINX_PORT=tcp://10.104.210.165:80
MY_SERVICE_PORT_80_TCP_ADDR=10.104.130.24
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
MY_SERVICE_PORT_80_TCP_PORT=80
HELLO_PORT=tcp://10.109.229.1:80
KUBERNETES_SERVICE_HOST=10.96.0.1
HELLO_SERVICE_PORT=80
PWD=/
MY_SERVICE_PORT_80_TCP_PROTO=tcp
NGINX_PORT_80_TCP_ADDR=10.104.210.165
FRONTEND_SERVICE_HOST=10.109.68.171
NGINX_PORT_80_TCP_PORT=80
NGINX_PORT_80_TCP_PROTO=tcp
[root@k8s-01 chapter08]# kubectl logs dapi-test-pod多个key 被引用
[root@k8s-01 chapter08]# cat configmaps.yaml 
apiVersion: v1
kind: ConfigMap
metadata:name: special-confignamespace: default
data:special.how: very
---
apiVersion: v1
kind: ConfigMap
metadata:name: env-confignamespace: default
data:log_level: INFO[root@k8s-01 chapter08]# cat pod-multiple-configmap-env-variable.yaml 
apiVersion: v1
kind: Pod
metadata:name: dapi-test-pod
spec:containers:- name: test-containerimage: busyboxcommand: [ "/bin/sh", "-c", "env" ]env:- name: SPECIAL_LEVEL_KEYvalueFrom:configMapKeyRef:name: special-configkey: special.how- name: LOG_LEVELvalueFrom:configMapKeyRef:name: env-configkey: log_levelrestartPolicy: Never[root@k8s-01 chapter08]# kubectl get pod
NAME            READY   STATUS      RESTARTS   AGE
dapi-test-pod   0/1     Completed   0          33s
[root@k8s-01 chapter08]# kubectl logs dapi-test-pod
HELLO_PORT_80_TCP_ADDR=10.109.229.1
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
LOG_LEVEL=INFO
FRONTEND_SERVICE_PORT=80
MY_SERVICE_PORT_80_TCP=tcp://10.104.130.24:80
REDIS_MASTER_SERVICE_HOST=10.106.204.32
FRONTEND_PORT=tcp://10.109.68.171:80
HELLO_PORT_80_TCP_PORT=80
HOSTNAME=dapi-test-pod
HELLO_PORT_80_TCP_PROTO=tcp
SHLVL=1
HOME=/root
NGINX_PORT_80_TCP=tcp://10.104.210.165:80
FRONTEND_PORT_80_TCP_ADDR=10.109.68.171
REDIS_MASTER_SERVICE_PORT=6379
REDIS_MASTER_PORT=tcp://10.106.204.32:6379
REDIS_MASTER_PORT_6379_TCP_ADDR=10.106.204.32
HELLO_PORT_80_TCP=tcp://10.109.229.1:80
FRONTEND_PORT_80_TCP_PORT=80
EXAMPLE_SERVICE_PORT_8080_TCP_ADDR=10.100.94.120
FRONTEND_PORT_80_TCP_PROTO=tcp
EXAMPLE_SERVICE_SERVICE_HOST=10.100.94.120
REDIS_MASTER_PORT_6379_TCP_PORT=6379
EXAMPLE_SERVICE_PORT_8080_TCP_PORT=8080
REDIS_MASTER_PORT_6379_TCP_PROTO=tcp
MY_SERVICE_SERVICE_HOST=10.104.130.24
EXAMPLE_SERVICE_PORT_8080_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
EXAMPLE_SERVICE_SERVICE_PORT=8080
EXAMPLE_SERVICE_PORT=tcp://10.100.94.120:8080
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
NGINX_SERVICE_HOST=10.104.210.165
FRONTEND_PORT_80_TCP=tcp://10.109.68.171:80
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
MY_SERVICE_SERVICE_PORT=80
MY_SERVICE_PORT=tcp://10.104.130.24:80
REDIS_MASTER_PORT_6379_TCP=tcp://10.106.204.32:6379
EXAMPLE_SERVICE_PORT_8080_TCP=tcp://10.100.94.120:8080
HELLO_SERVICE_HOST=10.109.229.1
SPECIAL_LEVEL_KEY=very
NGINX_SERVICE_PORT=80
NGINX_PORT=tcp://10.104.210.165:80
MY_SERVICE_PORT_80_TCP_ADDR=10.104.130.24
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
HELLO_PORT=tcp://10.109.229.1:80
KUBERNETES_SERVICE_HOST=10.96.0.1
MY_SERVICE_PORT_80_TCP_PORT=80
HELLO_SERVICE_PORT=80
PWD=/
MY_SERVICE_PORT_80_TCP_PROTO=tcp
NGINX_PORT_80_TCP_ADDR=10.104.210.165
FRONTEND_SERVICE_HOST=10.109.68.171
NGINX_PORT_80_TCP_PORT=80
NGINX_PORT_80_TCP_PROTO=tcp在configmaps中定义所有的键值对作为容器的环境变量
[root@k8s-01 chapter08]# cat pod-configmap-envFrom.yaml 
apiVersion: v1
kind: Pod
metadata:name: dapi-test-pod
spec:containers:- name: test-containerimage: busyboxcommand: [ "/bin/sh", "-c", "env" ]envFrom:- configMapRef:name: special-configrestartPolicy: Never[root@k8s-01 chapter08]# cat configmap-multikeys.yaml 
apiVersion: v1
kind: ConfigMap
metadata:name: special-confignamespace: default
data:SPECIAL_LEVEL: verySPECIAL_TYPE: charm[root@k8s-01 chapter08]# kubectl get pod
NAME            READY   STATUS      RESTARTS   AGE
dapi-test-pod   0/1     Completed   0          2m1s
[root@k8s-01 chapter08]# kubectl logs dapi-test-pod |grep very
SPECIAL_LEVEL=very
[root@k8s-01 chapter08]# kubectl logs dapi-test-pod |grep charm
SPECIAL_TYPE=charm在pod命令中使用configmap定义的环境变量

configmap 使用案例

configmap结合nginx使用
[root@k8s-01 chapter08]# cat nginx_deployment.yaml 
apiVersion: v1
kind: ConfigMap
metadata:name: nginx-conf
data:nginx.conf: |user nginx;worker_processes  3;error_log  /var/log/nginx/error.log;events {worker_connections  10240;}http {log_format  main'remote_addr:$remote_addr\t''time_local:$time_local\t''method:$request_method\t''uri:$request_uri\t''host:$host\t''status:$status\t''bytes_sent:$body_bytes_sent\t''referer:$http_referer\t''useragent:$http_user_agent\t''forwardedfor:$http_x_forwarded_for\t''request_time:$request_time';access_log        /var/log/nginx/access.log main;server {listen       80;server_name  _;location / {root   html;index  index.html index.htm;}}include /etc/nginx/virtualhost/virtualhost.conf;}virtualhost.conf: |upstream app {server localhost:8080;keepalive 1024;}server {listen 80 default_server;root /usr/local/app;access_log /var/log/nginx/app.access_log main;error_log /var/log/nginx/app.error_log;location / {proxy_pass http://www.baidu.com;proxy_http_version 1.1;}}
---
apiVersion: apps/v1
kind: Deployment
metadata:name: nginx
spec:selector:matchLabels:app: nginxreplicas: 1template:metadata:labels:app: nginxspec:containers:- name: nginximage: nginxports:- containerPort: 80volumeMounts:- mountPath: /etc/nginx # mount nginx-conf volumn to /etc/nginxreadOnly: truename: nginx-conf- mountPath: /var/log/nginxname: logvolumes:- name: nginx-confconfigMap:name: nginx-conf # place ConfigMap `nginx-conf` on /etc/nginxitems:- key: nginx.confpath: nginx.conf- key: virtualhost.confpath: virtualhost/virtualhost.conf # dig directory- name: logemptyDir: {}---
apiVersion: v1
kind: Service
metadata:name: nginx
spec:type: LoadBalancerports:- port: 80targetPort: 80selector:app: nginx这个实验如果修改nginx 的upstream 中的跳转地址，需要手动进去pod 里面重启nginx

secret

创建密钥
从文件获取内容创建密钥
创建文件
# echo –n ‘admin’ > ./username.txt
# echo –n ‘1f2dl32e67df’ >./password.txt创建密钥
# kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt手工创建密钥
- 把信息转换成base64编码
echo –n ‘admin’ | base64
echo –n ‘1f2dl32e67df’ | base64创建密钥
# kubectl create –f secret-example.yaml使用密钥
密钥作为卷进行挂载
配置文件参考secret-volume.yaml文件密钥文件作为指定路径的映射
配置文件参考secret-special-path.yaml将秘钥作为环境变量
配置文件参考secret-env-pod.yaml[root@k8s-01 chapter08]# cat secret-example.yaml 
apiVersion: v1
kind: Secret
metadata:name: mysecret
type: Opaque
data:username: 4oCTbiDigJhhZG1pbuKAmQo=password: 4oCTbiDigJgxZjJkbDMyZTY3ZGbigJkK
[root@k8s-01 chapter08]# cat secret-volume.yaml 
apiVersion: v1
kind: Pod
metadata:name: mypod
spec:containers:- name: mypodimage: redisvolumeMounts:- name: foomountPath: "/etc/foo"readOnly: truevolumes:- name: foosecret:secretName: mysecret[root@k8s-01 chapter08]# cat secret-special-path.yaml 
apiVersion: v1
kind: Pod
metadata:name: mypod1
spec:containers:- name: mypoadimage: redisvolumeMounts:- name: foomountPath: "/etc/foo"readOnly: truevolumes:- name: foosecret:secretName: mysecretitems:- key: usernamepath: my-group/my-username
[root@k8s-01 chapter08]# cat secret-env-pod.yaml 
apiVersion: v1
kind: Pod
metadata:name: secret-env-pod
spec:containers:- name: mycontainerimage: redisenv:- name: SECRET_USERNAMEvalueFrom:secretKeyRef:name: mysecretkey: username- name: SECRET_PASSWORDvalueFrom:secretKeyRef:name: mysecretkey: passwordrestartPolicy: Never上面几种方式均可以引入定义好的密文

k8s从私有库拉取镜像案例

创建密钥
第一种方法
登陆docker，并创建密钥
# kubectl create secret generic regcred --from-file=.dockerconfigjson=/root/.docker/config.json --type=kubernetes.io/dockerconfigjson第二种方法
在命令行中创建密钥
# kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>[root@k8s-01 chapter08]# cat my-private-reg-pod.yaml 
apiVersion: v1
kind: Pod
metadata:name: private-reg
spec:containers:- name: private-reg-containerimage: mike0405/nginx:latestimagePullSecrets:- name: regcred

参考文档

https://edu.csdn.net/learn/27763/375906?spm=1002.2001.3001.4157