Kebernetes 學習總結(7) configmap 和 secret

爲了把配置文件從image中解耦，加強應用的可移植性、可複用性，k8s提供了configmap和seret。

configmap
configmap就是一系列配置數據的集合。而這些數據未來能夠注入到pod中的container中。注入方式有兩種：1)、把configmap作存存儲卷，而後掛載；2)、使用ENV的valueFrom方式去引用configmap中所保存的數據。
configmap中保存着k:v格式的數據。value長度沒有限制。pod啓動時能夠到configmap中獲取相關的配置項。
一、建立configmap
語法以下
kubectl create configmap cmName --from-file=/path/file_name
或 --from-file=key1=/path/file_name
方式一：

[root@k8s-master-dev volumes]# kubectl create configmap nginx-config --from-literal=nginx_port=80 --from-literal=server_name=myapp.inspiry.cn
configmap/nginx-config created
[root@k8s-master-dev volumes]# kubectl get cm
NAME           DATA      AGE
nginx-config   2         7s
[root@k8s-master-dev volumes]# kubectl describe cm nginx-config
Name:         nginx-config
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
nginx_port:
----
80
server_name:
----
myapp.inspiry.cn
Events:  <none>
[root@k8s-master-dev volumes]# cd ../

方式二：

[root@k8s-master-dev manifests]# mkdir configmap
[root@k8s-master-dev manifests]# cd configmap/
[root@k8s-master-dev configmap]# vim www.conf
[root@k8s-master-dev configmap]# cat www.conf
server {
    server_name myapp.inspiry.cn;
    listen 80;
    root /usr/share/nginx/html;
}
[root@k8s-master-dev configmap]# kubectl create configmap nginx-www --from-file=./www.conf
configmap/nginx-www created
[root@k8s-master-dev configmap]# kubectl get cm
NAME           DATA      AGE
nginx-config   2         2m
nginx-www      1         6s
[root@k8s-master-dev configmap]# kubectl describe cm nginx-www
Name:         nginx-www
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
www.conf:
----
server {
    server_name myapp.inspiry.cn;
    listen 80;
    root /usr/share/nginx/html;
}

Events:  <none>
[root@k8s-master-dev configmap]# kubectl get cm nginx-www -o json
{
    "apiVersion": "v1",
    "data": {
        "www.conf": "server {\n    server_name myapp.inspiry.cn;\n    listen 80;\n    root /usr/share/nginx/html;\n}\n"
    },
    "kind": "ConfigMap",
    "metadata": {
        "creationTimestamp": "2019-03-07T06:44:36Z",
        "name": "nginx-www",
        "namespace": "default",
        "resourceVersion": "117824",
        "selfLink": "/api/v1/namespaces/default/configmaps/nginx-www",
        "uid": "7965f8b2-40a4-11e9-8de3-000c295011ce"
    }
}
[root@k8s-master-dev configmap]#

二、configmap的使用
例一、

[root@k8s-master-dev configmap]# vim pod-configmap.yaml
[root@k8s-master-dev configmap]# cat pod-configmap.yaml
apiVersion: v1
kind: Pod
metadata:
  name: pod-cm-1
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    inspiry.com/author: "cluster admin"
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    env:
    - name: NGINX_SERVER_PORT
      valueFrom:
        configMapKeyRef:
          name: nginx-config
          key: nginx_port
          optional: false
    - name: NGINX_SERVER_NAME
      valueFrom:
        configMapKeyRef:
          name: nginx-config
          key: server_name
          optional: false
[root@k8s-master-dev configmap]# kubectl apply -f pod-configmap.yaml
pod/pod-cm-1 created
[root@k8s-master-dev configmap]# kubectl get pods
NAME          READY     STATUS    RESTARTS   AGE
pod-cm-1      1/1       Running   0          22s
[root@k8s-master-dev configmap]# kubectl exec -it pod-cm-1 -- printenv
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=pod-cm-1
TERM=xterm
NGINX_SERVER_PORT=80
NGINX_SERVER_NAME=myapp.inspiry.cn
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
MYAPP_SVC_PORT_80_TCP_PROTO=tcp
MYAPP_SVC_PORT=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_ADDR=10.98.57.156
MYAPP_SVC_SERVICE_HOST=10.98.57.156
MYAPP_SVC_SERVICE_PORT=80
MYAPP_SVC_PORT_80_TCP=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_PORT=80
NGINX_VERSION=1.12.2
HOME=/root
[root@k8s-master-dev configmap]#

它只在pod啓動時有效，若是pod啓動後再次kubectl edit cm nginx-config ，該pod將沒法應用新的值 。

例二、

[root@k8s-master-dev configmap]# kubectl delete -f pod-configmap.yaml
pod "pod-cm-1" deleted
[root@k8s-master-dev configmap]# vim pod-configmap2.yaml
[root@k8s-master-dev configmap]# cat pod-configmap2.yaml
apiVersion: v1
kind: Pod
metadata:
  name: pod-cm-2
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    inspiry.com/author: "cluster admin"
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    volumeMounts:
    - name: nginxconf
      mountPath: /etc/nginx/con.d
      readOnly: true
  volumes:
  - name: nginxconf
    configMap:
      name: nginx-config
[root@k8s-master-dev configmap]# vim pod-configmap2.yaml
[root@k8s-master-dev configmap]#
[root@k8s-master-dev configmap]# kubectl apply -f pod-configmap2.yaml
pod/pod-cm-2 created
[root@k8s-master-dev configmap]# kubectl exec -it pod-cm-2 -- ls /etc/nginx/conf.d/
nginx_port   server_name
[root@k8s-master-dev configmap]# kubectl exec -it pod-cm-2 -- cat /etc/nginx/conf.d/nginx_port
80[root@k8s-master-dev configmap]#
[root@k8s-master-dev configmap]# kubectl exec -it pod-cm-2 -- cat /etc/nginx/conf.d/server_name
myapp.inspiry.cn[root@k8s-master-dev configmap]#
[root@k8s-master-dev configmap]#

當 kubectl edit cm nginx-config 將port 改成8088以後，等待同步時間 ，而後再看容器內的變化：

/etc/nginx/config.d # cat nginx_port
8088/etc/nginx/config.d #
/etc/nginx/config.d #
[root@k8s-master-dev configmap]# kubectl delete -f pod-configmap2.yaml
pod "pod-cm-2" deleted
[root@k8s-master-dev configmap]#

例三、

[root@k8s-master-dev configmap]# vim pod-configmap3.yaml
[root@k8s-master-dev configmap]# cat pod-configmap3.yaml
apiVersion: v1
kind: Pod
metadata:
  name: pod-cm-3
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    inspiry.com/author: "cluster admin"
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    volumeMounts:
    - name: nginxconf
      mountPath: /etc/nginx/conf.d
      readOnly: true
  volumes:
  - name: nginxconf
    configMap:
      name: nginx-www
[root@k8s-master-dev configmap]#
[root@k8s-master-dev configmap]# kubectl apply -f pod-configmap3.yaml
pod/pod-cm-3 created
[root@k8s-master-dev configmap]# kubectl get pods
NAME       READY     STATUS    RESTARTS   AGE
pod-cm-3   1/1       Running   0          30s
[root@k8s-master-dev configmap]# kubectl exec -it pod-cm-3 -- ls /etc/nginx/conf.d/
www.conf
[root@k8s-master-dev configmap]# kubectl exec -it pod-cm-3 -- cat /etc/nginx/conf.d/www.conf
server {
    server_name myapp.inspiry.cn;
    listen 80;
    root /usr/share/nginx/html;
}
[root@k8s-master-dev configmap]# kubectl exec -it pod-cm-3 -- /bin/sh
/ # nginx -T
.........
# configuration file /etc/nginx/conf.d/www.conf:
server {
    server_name myapp.inspiry.cn;
    listen 80;
    root /usr/share/nginx/html;
}

若是此時若是kubectl edit cm nginx-www 修改了port，等待同步時間 ，container內的配置會自動修改成新port, 但還須要nginx -s reload ，nginx 才能生效新port。
若是須要mount掛載其中一部分配置，而不是所有配置：可使用configMap.items

Secret
Secret是用來保存小片敏感數據的k8s資源，例如密碼，token，或者祕鑰。這類數據固然也能夠存放在Pod或者鏡像中，可是放在Secret中是爲了更方便的控制如何使用數據，並減小暴露的風險。
一、建立secret

[root@k8s-master-dev configmap]# kubectl create secret generic mysql-root-passwd --from-literal=password=P@ssw0rd
secret/mysql-root-passwd created
[root@k8s-master-dev configmap]# kubectl get secret
NAME                  TYPE                                  DATA      AGE
default-token-lc8dv   kubernetes.io/service-account-token   3         1d
mysql-root-passwd     Opaque                                1         9s
[root@k8s-master-dev configmap]# kubectl describe secret mysql-root-passwd
Name:         mysql-root-passwd
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
password:  8 bytes
[root@k8s-master-dev configmap]# kubectl get secret mysql-root-passwd -o yaml
apiVersion: v1
data:
  password: UEBzc3cwcmQ=
kind: Secret
metadata:
  creationTimestamp: 2019-03-07T07:54:00Z
  name: mysql-root-passwd
  namespace: default
  resourceVersion: "123811"
  selfLink: /api/v1/namespaces/default/secrets/mysql-root-passwd
  uid: 2b4babc4-40ae-11e9-8de3-000c295011ce
type: Opaque
[root@k8s-master-dev configmap]# echo UEBzc3cwcmQ= | base64 -d
P@ssw0rd[root@k8s-master-dev configmap]#
[root@k8s-master-dev configmap]#

二、使用secret (將secret映射到pod中)

[root@k8s-master-dev configmap]# vim pod-secret.yaml
[root@k8s-master-dev configmap]# cat pod-secret.yaml
apiVersion: v1
kind: Pod
metadata:
  name: pod-secret-1
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    inspiry.com/author: "cluster admin"
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    env:
    - name: MYSQL_ROOT_PASSWORD
      valueFrom:
        secretKeyRef:
          name: mysql-root-passwd
          key: password
[root@k8s-master-dev configmap]#
[root@k8s-master-dev configmap]# kubectl apply -f pod-secret.yaml
pod/pod-secret-1 created
[root@k8s-master-dev configmap]# kubectl get pods
NAME           READY     STATUS    RESTARTS   AGE
pod-secret-1   1/1       Running   0          13s
[root@k8s-master-dev configmap]# kubectl exec pod-secret-1 -- printenv
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=pod-secret-1
MYSQL_ROOT_PASSWORD=P@ssw0rd
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP_PROTO=tcp
MYAPP_SVC_PORT_80_TCP_PROTO=tcp
MYAPP_SVC_PORT=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_ADDR=10.98.57.156
MYAPP_SVC_SERVICE_HOST=10.98.57.156
MYAPP_SVC_SERVICE_PORT=80
MYAPP_SVC_PORT_80_TCP=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_PORT=80
NGINX_VERSION=1.12.2
HOME=/root
[root@k8s-master-dev configmap]#