9-特殊存储卷configMap和Secret
给Kubernetes管理员或用户提供从集群外部向POD内部的应用注入配置信息的方式.类似一个配置中心。把配置文件存入配置中心。配置有变化,让POD重载这些配置文件,极大方便管理。可以理解为configMap就是K8S上的配置中心。但是configMap存储的数据是明文保存的,Secret则是BASE64编码机制保存的。
配置容器化应用的方式
- 自定义命令行参数
- command
- args:[ ]
- 把配置文件直接焙进镜像
- 环境变量
- Cloud Native 的应用一般可直接通过环境变量加载配置;
- 通过entrypoint 脚本来预处理变量为配置文件中的配置信息;
- 存储卷
configMap 创建方法
kubectl create configmap --help 例子1: kubectl create configmap nginx-config --from-literal=nginx_port=80 --from-literal=server_name=myapp.leiyan.com 查看: kubectl get cm kubectl describe cm nginx-config 例子2: kubectl create configmap nginx-www --from-file=./www.conf 查看: kubectl get cm nginx-www -o yaml kubectl describe cm nginx-www
POD调用configmap配置信息
例子:
apiVersion: v1
kind: Pod
metadata:
name: pod-vol-configmap
namespace: default
labels:
app: myapp
tier: frontend
annotations:
magedu.com/created-by: "cluster admin"
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
env:
- name: NGINX_SERVER_PORT
valueFrom:
configMapKeyRef:
name: nginx-config
key: nginx_port
- name: NGINX_SERVER_NAME
valueFrom:
configMapKeyRef:
name: nginx-config
key: server_name
查看验证
[root@master volmenu]# kubectl exec -it pod-vol-configmap -- /bin/sh
configmap 配置信息修改
kubectl edit cm nginx-config
POD调用configmap 存储卷方式可实时修改配置文件并产生改变
例子:
apiVersion: v1
kind: Pod
metadata:
name: pod-vol-configmap2
namespace: default
labels:
app: myapp
tier: frontend
annotations:
magedu.com/created-by: "cluster admin"
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
volumeMounts:
- name: nginxconf
mountPath: /etc/nginx/config.d
readOnly: true
volumes:
- name: nginxconf
configMap:
name: nginx-config
POD调用configmap 文件的方式
例子:
apiVersion: v1
kind: Pod
metadata:
name: pod-vol-configmap3
namespace: default
labels:
app: myapp
tier: frontend
annotations:
magedu.com/created-by: "cluster admin"
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
volumeMounts:
- name: nginxconf
mountPath: /etc/nginx/conf.d/
readOnly: true
volumes:
- name: nginxconf
configMap:
name: nginx-www
密码记录进Secret中例子
kubectl create secret generic mysql-root-password --from-literal=password=MyP@ss123 #查看 kubectl describe secret mysql-root-password kubectl get secret mysql-root-password -o yaml
使用例子:
apiVersion: v1
kind: Pod
metadata:
name: pod-vol-secret
namespace: default
labels:
app: myapp
tier: frontend
annotations:
magedu.com/created-by: "cluster admin"
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-root-passowd
key: passwoed
制作自签证书方法
KEY
openssl genrsa -out test.key 2048
CRT
openssl req -new -x509 -key test.key -out test.crt -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=test.leiyan.com
证书导入到 Secret 例子
kubectl create secret tls leiyan-ssl --cert=test.crt --key=test.key #查看 kubectl get secret kubectl describe secret leiyan-ssl
发布HTTPS ingress应用
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- test.leiyan.com
secretName: leiyan-ssl
rules:
- host: test.leiyan.com
http:
paths:
- path:
backend:
serviceName: myapp
servicePort: 80
桂ICP备16010384号-1
停留在世界边缘,与之惜别