K8S基础应用程序配置(SecretConfigMap)

Secret

• 加密数据并存放在ETCD中,让POD的容器以挂载Volume的方式访问

• 应用场景:

  1. https证书
  2. secret存放docker registry认证信息

• 支持类型

  Available Commands:docker-registry Create a secret for use with a Docker registrygeneric Create a secret from a local file, directory or literal valuetls Create a TLS secret


• Pod使用secret的两种方式

  1. 变量注入
  2. 挂载

创建Secret

YAML配置

---
apiVersion: v1
kind: Secret
metadata:name: mysecret
type: Opaque
data:username: YWRtaW4Kpassword: cGFzc3dvcmQK
---


通过base64给账号口令加密

echo ‘admin’|base64
YWRtaW4K

echo ‘password’|base64
cGFzc3dvcmQK

验证:

kubectl get secret
kubectl describe secret


挂载方式-变量

POD通过变量方式使用secret

apiVersion: v1
kind: Pod
metadata:name: mypod
spec:containers:- name: nginximage: nginxenv:- name: SECRET_USERNAMEvalueFrom:secretKeyRef:name: mysecretkey: username- name: SECRET_PASSWORDvalueFrom:secretKeyRef:name: mysecretkey: password


验证:

进入容器

echo $SECRET_USERNAME
echo $SECRET_PASSWORD


挂载方式-Volumes

YAML配置

apiVersion: v1
kind: Pod
metadata:name: mypod
spec:containers:- name: nginximage: nginxvolumeMounts:- name: foomountPath: "/etc/foo"readOnly: truevolumes:- name: foosecret:secretName: mysecret


验证:

进入容器

cat /etc/foo/username
cat /etc/foo/password


ConfigMap

应用场景:

应用配置文件内容

创建 && 获取–变量方式

apiVersion: v1
kind: ConfigMap
metadata:name: myconfignamespace: default
data:special.level: infospecial.type: hello---apiVersion: v1
kind: Pod
metadata:name: mypod
spec:containers:- name: busyboximage: busyboxcommand: [ "/bin/sh", "-c", "echo $(LEVEL) $(TYPE)" ]env:- name: LEVELvalueFrom:configMapKeyRef:name: myconfigkey: special.level- name: TYPEvalueFrom:configMapKeyRef:name: myconfigkey: special.typerestartPolicy: Never
---


创建 && 获取–Volumes方式

apiVersion: v1
kind: ConfigMap
metadata:name: redis-config
data:redis.properties: |redis.host&＃61;127.0.0.1redis.port&＃61;6379redis.password&＃61;123456---apiVersion: v1
kind: Pod
metadata:name: mypod
spec:containers:- name: busyboximage: busyboxcommand: [ "/bin/sh","-c","cat /etc/config/redis.properties" ]volumeMounts:- name: config-volumemountPath: /etc/configvolumes:- name: config-volumeconfigMap:name: redis-configrestartPolicy: Never


验证

kubectl get cmkubectl describe cm


进入容器:

# 变量方式
echo $(LEVEL)
echo $(TYPE)
# Volumes方式
cat /etc/config


更新配置

ConfigMap更新时,业务也随之更新的方案:

• 当ConfigMap发生变更时,应用程序动态加载

  1. 应用程序监听本地配置文件,如果发生变化触发配置热更新
  2. 使用sidecar容器监听配置文件是否封信,如果发生变化触发http,socket通知应用热更新
  3. 采用配置中心,例如nacos,apollo

• 触发滚动更新,即重启服务

  重建pod