k8s之Configmap与Secret

ConfigMap:k8s标准资源,将配置文件做成k8s资源,使其它资源可加载其中配置
Secret:实现加密功能的安全配置文件。由多个key:val中组成

创建configmap资源,可直接使用kubectl创建并且传值

kubectl create configmap filebeat-cfg -n config --from-literal=redis_host="redis.default.svc.cluster.local" --from-literal=log_level="Info"

--from-literal=log_level="Info" 此字段表示为创建一个key为log_level并且为这个可以赋值为info
而后创建pod,并引用configmap资源中的key

apiVersion: v1
kind: Pod
metadata: 
  name: pod-cfg-demo
  namespace : config
spec:
  containers:
    name: filebeat
    image: ikubernetes/filebeat:5.6.5-alp ine
    env:#引用环境变量值
    - name: REDIS_ HOST #名称,REDIS_HOST为容器内部的变量名称
      valueFrom:#引用其他资源传递变量,
        configMapKeyRef :#表示引用configmap资源
          name: filebeat-cfg #configmap名称,为刚才创建的configmap资源
          key: redis_host#key名称
    - name: LOG_LEUEL #同上也为容器内的变量名称
        valueFrom:
          configMapKeyRef :
            name: filebeat-cfg 
            key: log_level
image.png

连接至容器内部查看环境变量传递成功了,但是我们修改configmap中key 的值不会生效,除非重建pod

基于存储卷引用configmap
创建2个配置文件为存储卷提供配置


image.png

定义好configmap
kubectl create configmap nginx-cfg --from-file=./server1.conf --from-file=server-2./server2.conf -n config
--from-file=./server1.conf #利用文件来传递参数,没有给key名称默认为文件名称为key,文件内容为value
--from-file=server-2./server2.conf -n config#也可以手动添加key名。并指定文件内容为value,且目录为相对路径不能为绝对路径

apiVersion: v1
kind: Pod
metadata:
  name: myapp-pod
  namespace: config
spec:
  containers: 
  - name: myapp
    image: ikubernetes/ myapp:v1
    volumeMounts : #定义容器使用存储卷挂载
    - name: config#使用存储卷的名称
      mountPath: /etc/nginx/conf.d/
volumes:#定义存储卷
- name: config#存储卷名称
  configMap:#存储卷类型:这里为configmap而不是nfs其他的文件系统,可以指定configmap资源为存储卷
    name: nginx-cfg#configmap名称,这里为我们刚才创建的cm名称
    items :#使用cm中的key
    - key: server1.conf #key名称
      path: server-first.conf #表示映射为文件时文件名是什么
    - key: server-2
      path: server-second.conf

kubectl edit cm nginx-cfg -n config#在线修改时会自动同步至容器内部


im

image.png

secret资源。经过base64编码后的配置中心,用于传递敏感信息的值
secret类型:
tls类型:专用ssl。tls格式的证书和私钥打包进secret中。不管原来文件叫什么,通通进行统一,证书一定会映射为叫tls.crt。私钥为tls.key
generic:非证书认证时使用的普通的敏感信息类型
docker-registry:用于连接dockerhub中时使用的账户认证信息类型

kubectl create secret generic mysql-root-password -n config --from-literal=password=centos #创建通用型secret资源

创建pod使用secret中的key传递给容器

apiVersion: v1
kind: Pod
metadata:
  name: mysql
  namespace: config
spec:
  containers:
  - name: mysql
    image: mysql:5.6
    env: #容器内部定义的变量
    - name: MYSQL_ROOT_PASSWORD#此名称为容器内部定义的变量名,不是随便给的。需要传递参数才能启动mysql容器
      valueFrom:  #定义值
        secretKeyRef: #值类型为secret
          key: password #key名称
          name: mysql-root-password #secret的名称
image.png

交互式连接mysql可直接使用传递的参数登陆mysql

kubectl create secret tls mysql-cert --cert=./myapp.crt --key=./myapp.key -n config#创证书类型secret配置,是其他pod能将此secret当作证书认证

apiVersion: v1
kind: Pod
metadata:
  name: myapp-pod-tls
  namespace: config
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    volumeMounts:
    - name: config
      mountPath: /etc/nginx/conf.d/
    - name: tls
      mountPath: /etc/nginx/certs/#容器内部的挂载路径
  volumes:#定义存储卷类型
  - name: config 存储卷名称
    configMap:  #存储卷类型configmap
     name: nginx-cfg
     items:
     - key: server1.conf
       path: server-first.conf
     - key: server-2
       path: server-second.conf
  - name: tls
    secret: #此存储卷类型为secret
      secretName: mysql-cert #secret的名称,刚才我创建为mysql-cert
      items: #定义key
      - key: tls.crt #注意原key和crt为什么名称。在secret中定义都为tls.key,tls,crt
        path: myapp.crt #在容器中名称相对路径为mountPath: /etc/nginx/conf.d/
      - key: tls.key
        path: myapp.key
        mode: 0600 #定义权限

image.png

StatefulSet:管理有状态应用,但对于扩缩容需要自己写代码操作,statefulset只负责提供给pod一个单一的标识,存储设备。
operator:使用不同应用程序,对不同的应用程序有程序的所有运维管理操作,不同的应用程序有不同的operator,operator运行为k8s集群中的pod,用于控制有状态的集群应用

定义statefulset:

先创建好几个pv,使用静态创建
apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv-nfs-v0
  labels:
    storage: nfs
spec:
  accessModes: ["ReadWriteOnce ","ReadwriteMany","ReadOnlyMany"]
  capacity:
    storage: 1Gi
  volumeMode: Filesystem
  persistentvolumeReclaimPolicy: Retain
  nfs:
    server: 192 .168.1.199
    path: /vols/v0
---

apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv-nfs-v1
  labels:
    storage: nfs
spec:
  accessModes: ["ReadWriteOnce ","ReadwriteMany","ReadOnlyMany"]
  capacity:
    storage: 5Gi
  volumeMode: Filesystem
  persistentvolumeReclaimPolicy: Retain
  nfs:
    server: 192 .168.1.199
    path: /vols/v1
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv-nfs-v2
  labels:
    storage: nfs
spec:
  accessModes: ["ReadWriteOnce ","ReadwriteMany","ReadOnlyMany"]
  capacity:
    storage: 5Gi
  volumeMode: Filesystem
  persistentvolumeReclaimPolicy: Retain
  nfs:
    server: 192 .168.1.199
    path: /vols/v2
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv-nfs-v3
  labels:
    storage: nfs
spec:
  accessModes: ["ReadWriteOnce ","ReadwriteMany","ReadOnlyMany"]
  capacity:
    storage: 5Gi
  volumeMode: Filesystem
  persistentvolumeReclaimPolicy: Retain
  nfs:
    server: 192 .168.1.199
    path: /vols/v3
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv-nfs-v4
  labels:
    storage: nfs
spec:
  accessModes: ["ReadWriteOnce ","ReadwriteMany","ReadOnlyMany"]
  capacity:
    storage: 5Gi
  volumeMode: Filesystem
  persistentvolumeReclaimPolicy: Retain
  nfs:
    server: 192 .168.1.199
    path: /vols/v4
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv-nfs-v5
  labels:
    storage: nfs
spec:
  accessModes: ["ReadWriteOnce ","ReadwriteMany","ReadOnlyMany"]
  capacity:
    storage: 5Gi
  volumeMode: Filesystem
  persistentvolumeReclaimPolicy: Retain
  nfs:
    server: 192 .168.1.199
    path: /vols/v5
#而后创建statefulset资源,绑定使用pv

定义好statefulset

apiVersion: v1
kind: Service #定义好前端service
metadata:
  name: myapp-sts-svc
  namespace: sts
  labels:
    app: myapp
spec:
  ports:
  - port: 80
    name: web
  clusterIP: None
  selector:
    app: myapp-pod
    containers: sts
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: statefulset-demo
  namespace: sts
spec:
  selector:
    matchLabels:
      app: myapp-pod
      containers: sts
  serviceName: "myapp-sts-svc"
  replicas: 2 #pod副本数量
  template:#pod模板
    metadata:
      labels:
        app: myapp-pod
        containers: sts
    spec:
      terminationGracePeriodSeconds: 10#删除pod时长
      containers:
      - name: myapp
        image: ikubernetes/myapp:v1
        ports:
        - containerPort: 80
          name: web
        volumeMounts:
        - name: myapp-pvc
          mountPath: /usr/share/nginx/html
  volumeClaimTemplates:#定义好pvc资源模板
  - metadata:
      name: myapp-pvc #pvc名称
      namespace: sts #所属名称空间
    spec:
      accessModes: [ "ReadWriteOnce" ] #访问模型为单路读写
      resources: #请求占用多少资源
        requests:
          storage: 2Gi

你可能感兴趣的:(k8s之Configmap与Secret)