Kebernetes 学习总结(7) configmap 和 secret

为了把配置文件从image中解耦，增强应用的可移植性、可复用性，k8s提供了configmap和seret。

configmap
configmap就是一系列配置数据的集合。而这些数据将来可以注入到pod中的container中。注入方式有两种：1)、把configmap做存存储卷，然后挂载；2)、使用ENV的valueFrom方式去引用configmap中所保存的数据。
configmap中保存着k:v格式的数据。value长度没有限制。pod启动时可以到configmap中获取相关的配置项。
1、创建configmap
语法如下
kubectl create configmap cmName --from-file=/path/file_name
或 --from-file=key1=/path/file_name
方式一：

[root@k8s-master-dev volumes]# kubectl create configmap nginx-config --from-literal=nginx_port=80 --from-literal=server_name=myapp.inspiry.cn
configmap/nginx-config created
[root@k8s-master-dev volumes]# kubectl get cm
NAME           DATA      AGE
nginx-config   2         7s
[root@k8s-master-dev volumes]# kubectl describe cm nginx-config
Name:         nginx-config
Namespace:    default
Labels:       
Annotations:  

Data
====
nginx_port:
----
80
server_name:
----
myapp.inspiry.cn
Events:  
[root@k8s-master-dev volumes]# cd ../

方式二：

[root@k8s-master-dev manifests]# mkdir configmap
[root@k8s-master-dev manifests]# cd configmap/
[root@k8s-master-dev configmap]# vim www.conf
[root@k8s-master-dev configmap]# cat www.conf
server {
    server_name myapp.inspiry.cn;
    listen 80;
    root /usr/share/nginx/html;
}
[root@k8s-master-dev configmap]# kubectl create configmap nginx-www --from-file=./www.conf
configmap/nginx-www created
[root@k8s-master-dev configmap]# kubectl get cm
NAME           DATA      AGE
nginx-config   2         2m
nginx-www      1         6s
[root@k8s-master-dev configmap]# kubectl describe cm nginx-www
Name:         nginx-www
Namespace:    default
Labels:       
Annotations:  

Data
====
www.conf:
----
server {
    server_name myapp.inspiry.cn;
    listen 80;
    root /usr/share/nginx/html;
}

Events:  
[root@k8s-master-dev configmap]# kubectl get cm nginx-www -o json
{
    "apiVersion": "v1",
    "data": {
        "www.conf": "server {\n    server_name myapp.inspiry.cn;\n    listen 80;\n    root /usr/share/nginx/html;\n}\n"
    },
    "kind": "ConfigMap",
    "metadata": {
        "creationTimestamp": "2019-03-07T06:44:36Z",
        "name": "nginx-www",
        "namespace": "default",
        "resourceVersion": "117824",
        "selfLink": "/api/v1/namespaces/default/configmaps/nginx-www",
        "uid": "7965f8b2-40a4-11e9-8de3-000c295011ce"
    }
}
[root@k8s-master-dev configmap]#

2、configmap的使用
例1、

[root@k8s-master-dev configmap]# vim pod-configmap.yaml
[root@k8s-master-dev configmap]# cat pod-configmap.yaml
apiVersion: v1
kind: Pod
metadata:
  name: pod-cm-1
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    inspiry.com/author: "cluster admin"
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    env:
    - name: NGINX_SERVER_PORT
      valueFrom:
        configMapKeyRef:
          name: nginx-config
          key: nginx_port
          optional: false
    - name: NGINX_SERVER_NAME
      valueFrom:
        configMapKeyRef:
          name: nginx-config
          key: server_name
          optional: false
[root@k8s-master-dev configmap]# kubectl apply -f pod-configmap.yaml
pod/pod-cm-1 created
[root@k8s-master-dev configmap]# kubectl get pods
NAME          READY     STATUS    RESTARTS   AGE
pod-cm-1      1/1       Running   0          22s
[root@k8s-master-dev configmap]# kubectl exec -it pod-cm-1 -- printenv
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=pod-cm-1
TERM=xterm
NGINX_SERVER_PORT=80
NGINX_SERVER_NAME=myapp.inspiry.cn
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
MYAPP_SVC_PORT_80_TCP_PROTO=tcp
MYAPP_SVC_PORT=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_ADDR=10.98.57.156
MYAPP_SVC_SERVICE_HOST=10.98.57.156
MYAPP_SVC_SERVICE_PORT=80
MYAPP_SVC_PORT_80_TCP=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_PORT=80
NGINX_VERSION=1.12.2
HOME=/root
[root@k8s-master-dev configmap]#

它只在pod启动时有效，如果pod启动后再次kubectl edit cm nginx-config ，该pod将无法应用新的值 。

例2、

[root@k8s-master-dev configmap]# kubectl delete -f pod-configmap.yaml
pod "pod-cm-1" deleted
[root@k8s-master-dev configmap]# vim pod-configmap2.yaml
[root@k8s-master-dev configmap]# cat pod-configmap2.yaml
apiVersion: v1
kind: Pod
metadata:
  name: pod-cm-2
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    inspiry.com/author: "cluster admin"
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    volumeMounts:
    - name: nginxconf
      mountPath: /etc/nginx/con.d
      readOnly: true
  volumes:
  - name: nginxconf
    configMap:
      name: nginx-config
[root@k8s-master-dev configmap]# vim pod-configmap2.yaml
[root@k8s-master-dev configmap]#
[root@k8s-master-dev configmap]# kubectl apply -f pod-configmap2.yaml
pod/pod-cm-2 created
[root@k8s-master-dev configmap]# kubectl exec -it pod-cm-2 -- ls /etc/nginx/conf.d/
nginx_port   server_name
[root@k8s-master-dev configmap]# kubectl exec -it pod-cm-2 -- cat /etc/nginx/conf.d/nginx_port
80[root@k8s-master-dev configmap]#
[root@k8s-master-dev configmap]# kubectl exec -it pod-cm-2 -- cat /etc/nginx/conf.d/server_name
myapp.inspiry.cn[root@k8s-master-dev configmap]#
[root@k8s-master-dev configmap]#

当 kubectl edit cm nginx-config 将port 改为8088之后，等待同步时间 ，然后再看容器内的变化：

/etc/nginx/config.d # cat nginx_port
8088/etc/nginx/config.d #
/etc/nginx/config.d #
[root@k8s-master-dev configmap]# kubectl delete -f pod-configmap2.yaml
pod "pod-cm-2" deleted
[root@k8s-master-dev configmap]#

例3、

[root@k8s-master-dev configmap]# vim pod-configmap3.yaml
[root@k8s-master-dev configmap]# cat pod-configmap3.yaml
apiVersion: v1
kind: Pod
metadata:
  name: pod-cm-3
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    inspiry.com/author: "cluster admin"
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    volumeMounts:
    - name: nginxconf
      mountPath: /etc/nginx/conf.d
      readOnly: true
  volumes:
  - name: nginxconf
    configMap:
      name: nginx-www
[root@k8s-master-dev configmap]#
[root@k8s-master-dev configmap]# kubectl apply -f pod-configmap3.yaml
pod/pod-cm-3 created
[root@k8s-master-dev configmap]# kubectl get pods
NAME       READY     STATUS    RESTARTS   AGE
pod-cm-3   1/1       Running   0          30s
[root@k8s-master-dev configmap]# kubectl exec -it pod-cm-3 -- ls /etc/nginx/conf.d/
www.conf
[root@k8s-master-dev configmap]# kubectl exec -it pod-cm-3 -- cat /etc/nginx/conf.d/www.conf
server {
    server_name myapp.inspiry.cn;
    listen 80;
    root /usr/share/nginx/html;
}
[root@k8s-master-dev configmap]# kubectl exec -it pod-cm-3 -- /bin/sh
/ # nginx -T
.........
# configuration file /etc/nginx/conf.d/www.conf:
server {
    server_name myapp.inspiry.cn;
    listen 80;
    root /usr/share/nginx/html;
}

如果此时如果kubectl edit cm nginx-www 修改了port，等待同步时间 ，container内的配置会自动修改为新port, 但还需要nginx -s reload ，nginx 才能生效新port。
如果需要mount挂载其中一部分配置，而不是全部配置：可以使用configMap.items

Secret
Secret是用来保存小片敏感数据的k8s资源，例如密码，token，或者秘钥。这类数据当然也可以存放在Pod或者镜像中，但是放在Secret中是为了更方便的控制如何使用数据，并减少暴露的风险。
1、创建secret

[root@k8s-master-dev configmap]# kubectl create secret generic mysql-root-passwd --from-literal=password=P@ssw0rd
secret/mysql-root-passwd created
[root@k8s-master-dev configmap]# kubectl get secret
NAME                  TYPE                                  DATA      AGE
default-token-lc8dv   kubernetes.io/service-account-token   3         1d
mysql-root-passwd     Opaque                                1         9s
[root@k8s-master-dev configmap]# kubectl describe secret mysql-root-passwd
Name:         mysql-root-passwd
Namespace:    default
Labels:       
Annotations:  

Type:  Opaque

Data
====
password:  8 bytes
[root@k8s-master-dev configmap]# kubectl get secret mysql-root-passwd -o yaml
apiVersion: v1
data:
  password: UEBzc3cwcmQ=
kind: Secret
metadata:
  creationTimestamp: 2019-03-07T07:54:00Z
  name: mysql-root-passwd
  namespace: default
  resourceVersion: "123811"
  selfLink: /api/v1/namespaces/default/secrets/mysql-root-passwd
  uid: 2b4babc4-40ae-11e9-8de3-000c295011ce
type: Opaque
[root@k8s-master-dev configmap]# echo UEBzc3cwcmQ= | base64 -d
P@ssw0rd[root@k8s-master-dev configmap]#
[root@k8s-master-dev configmap]#

2、使用secret (将secret映射到pod中)

[root@k8s-master-dev configmap]# vim pod-secret.yaml
[root@k8s-master-dev configmap]# cat pod-secret.yaml
apiVersion: v1
kind: Pod
metadata:
  name: pod-secret-1
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    inspiry.com/author: "cluster admin"
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    env:
    - name: MYSQL_ROOT_PASSWORD
      valueFrom:
        secretKeyRef:
          name: mysql-root-passwd
          key: password
[root@k8s-master-dev configmap]#
[root@k8s-master-dev configmap]# kubectl apply -f pod-secret.yaml
pod/pod-secret-1 created
[root@k8s-master-dev configmap]# kubectl get pods
NAME           READY     STATUS    RESTARTS   AGE
pod-secret-1   1/1       Running   0          13s
[root@k8s-master-dev configmap]# kubectl exec pod-secret-1 -- printenv
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=pod-secret-1
MYSQL_ROOT_PASSWORD=P@ssw0rd
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP_PROTO=tcp
MYAPP_SVC_PORT_80_TCP_PROTO=tcp
MYAPP_SVC_PORT=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_ADDR=10.98.57.156
MYAPP_SVC_SERVICE_HOST=10.98.57.156
MYAPP_SVC_SERVICE_PORT=80
MYAPP_SVC_PORT_80_TCP=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_PORT=80
NGINX_VERSION=1.12.2
HOME=/root
[root@k8s-master-dev configmap]#