9-特殊存储卷configMap和Secret

9-特殊存储卷configMap和Secret

给Kubernetes管理员或用户提供从集群外部向POD内部的应用注入配置信息的方式.类似一个配置中心。把配置文件存入配置中心。配置有变化,让POD重载这些配置文件,极大方便管理。可以理解为configMap就是K8S上的配置中心。但是configMap存储的数据是明文保存的,Secret则是BASE64编码机制保存的。

配置容器化应用的方式

  1. 自定义命令行参数
    • command
    • args:[ ]
  2. 把配置文件直接焙进镜像
  3. 环境变量
    • Cloud Native 的应用一般可直接通过环境变量加载配置;
    • 通过entrypoint 脚本来预处理变量为配置文件中的配置信息;
  4. 存储卷

configMap 创建方法

kubectl create configmap --help


例子1:
kubectl create configmap nginx-config  --from-literal=nginx_port=80 --from-literal=server_name=myapp.leiyan.com

查看:
kubectl get cm
kubectl describe cm nginx-config




例子2:
kubectl create configmap nginx-www  --from-file=./www.conf

查看:
kubectl get cm nginx-www -o yaml
kubectl describe cm nginx-www

POD调用configmap配置信息

例子:

apiVersion: v1
kind: Pod
metadata:
  name: pod-vol-configmap
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    magedu.com/created-by: "cluster admin"
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    env:
    - name: NGINX_SERVER_PORT
      valueFrom:
        configMapKeyRef:
          name: nginx-config
          key: nginx_port
    - name: NGINX_SERVER_NAME
      valueFrom:
        configMapKeyRef:
          name: nginx-config
          key: server_name                        

查看验证

[root@master volmenu]# kubectl exec -it pod-vol-configmap -- /bin/sh

configmap 配置信息修改

kubectl edit cm nginx-config

POD调用configmap 存储卷方式可实时修改配置文件并产生改变

例子:

apiVersion: v1
kind: Pod
metadata:
  name: pod-vol-configmap2
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    magedu.com/created-by: "cluster admin"
spec:
  containers:
  - name: myapp 
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    volumeMounts:
    - name: nginxconf
      mountPath: /etc/nginx/config.d
      readOnly: true                                                                                                                                                                  
  volumes:
  - name: nginxconf
    configMap:
      name: nginx-config

POD调用configmap 文件的方式

例子:

apiVersion: v1
kind: Pod
metadata:
  name: pod-vol-configmap3                                                                                                                                                            
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    magedu.com/created-by: "cluster admin"
spec:
  containers:
  - name: myapp 
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    volumeMounts:
    - name: nginxconf
      mountPath: /etc/nginx/conf.d/
      readOnly: true
  volumes:
  - name: nginxconf
    configMap:
      name: nginx-www

密码记录进Secret中例子

kubectl create secret generic mysql-root-password --from-literal=password=MyP@ss123
#查看
kubectl describe secret mysql-root-password
kubectl get secret mysql-root-password -o yaml

使用例子:

apiVersion: v1
kind: Pod
metadata:
  name: pod-vol-secret
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    magedu.com/created-by: "cluster admin"
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    env:
    - name: MYSQL_ROOT_PASSWORD
      valueFrom:
        secretKeyRef:
          name: mysql-root-passowd
          key: passwoed

制作自签证书方法

KEY

openssl genrsa -out test.key 2048

CRT

openssl req -new -x509 -key test.key -out test.crt -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=test.leiyan.com

证书导入到 Secret 例子

kubectl create secret tls leiyan-ssl --cert=test.crt --key=test.key
#查看
kubectl get secret
kubectl describe secret leiyan-ssl

发布HTTPS ingress应用

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-myapp
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
  - hosts:
    - test.leiyan.com
    secretName: leiyan-ssl
  rules:
  - host: test.leiyan.com
    http:
      paths:
      - path: 
        backend:
          serviceName: myapp
          servicePort: 80
  • blogger
版权声明:若无特殊注明,本文为《橙子柠檬》原创,转载请保留文章出处。
本文链接:https://qinzc.me/post-230.html
正文到此结束

热门推荐

发表吐槽

你肿么看?

你还可以输入 250 / 250 个字

嘻嘻 大笑 可怜 吃惊 害羞 调皮 鄙视 示爱 大哭 开心 偷笑 嘘 奸笑 委屈 抱抱 愤怒 思考 日了狗 胜利 不高兴 阴险 乖 酷 滑稽

评论信息框
可使用QQ号实时获取昵称+头像

私密评论

吃奶的力气提交吐槽中...


既然没有吐槽,那就赶紧抢沙发吧!