#Secret - 加密时,最好不要加上换行避免出现其他问题
[14:33:21 root@master1 storage]#cat 19-storage-nginx-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: nginx-secret
type: kubernetes.io/basic-auth
data:
username: YWRtaW4=
password: cGFzc3dvcmQ=
[14:42:15 root@master1 storage]#cat 20-storage-nginx-secret-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-volume
spec:
volumes:
- name: secret
secret:
secretName: nginx-secret
containers:
- name: nginx-secrec
image: 10.0.0.19:80/mykubernetes/nginx:1.21.3
volumeMounts:
- name: secret
mountPath: /nginxsecret/
readOnly: true
[14:42:49 root@master1 storage]#kubectl apply -f 19-storage-nginx-secret.yaml
secret/nginx-secret created
[14:42:55 root@master1 storage]#kubectl apply -f 20-storage-nginx-secret-pod.yaml
pod/secret-volume created
[14:43:05 root@master1 storage]#kubectl get all -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/secret-volume 1/1 Running 0 5s 10.244.3.2 node1.noisedu.cn <none> <none>
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 7d15h <none>
[14:43:10 root@master1 storage]#kubectl exec -it secret-volume -- bash
oot@secret-volume:/# ls /nginxsecret/
password username
root@secret-volume:/# cat /nginxsecret/password
passwordroot@secret-volume:/# cat /nginxsecret/username
adminroot@secret-volume:/# exit
exit
14:46:58 root@master1 storage]#echo -e "YWRtaW4=" | base64 -d
admin[14:47:03 root@master1 storage]#echo -e "cGFzc3dvcmQ=" | base64 -d
password
# mariadb case - 初始化mysql密码
# 在其他机器下载images
[15:16:30 root@ha1 ~]#docker run --name mariadb_test -e MYSQL_ROOT_PASSWORD=12345678 -d 10.0.0.55:80/mykubernetes/mariadb:10.6
Unable to find image '10.0.0.55:80/mykubernetes/mariadb:10.6' locally
10.6: Pulling from mykubernetes/mariadb
Digest: sha256:528cfe83d93caba437e75039b606a4637dd5c724c6a25d7c7b64ec2e9eb11303
Status: Downloaded newer image for 10.0.0.55:80/mykubernetes/mariadb:10.6
69e9b912be397977be450d3d80400476397f1932bb462eb1d39ed4ed8fb7fa91
15:18:49 root@ha1 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
69e9b912be39 10.0.0.55:80/mykubernetes/mariadb:10.6 "docker-entrypoint.s…" About a minute ago Up About a minute 3306/tcp mariadb_test
[15:19:06 root@ha1 ~]#docker exec -it 69e9b912be39 bash
root@69e9b912be39:/# mysql -uroot -p12345678
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.6.5-MariaDB-1:10.6.5+maria~focal mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> exit
Bye
root@69e9b912be39:/# exit
exit
[15:25:03 root@master1 storage]#echo -n "12345678" | base64
MTIzNDU2Nzg=
[14:57:08 root@master1 storage]#cat 21-storage-secret-mysql-init.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysql-secret
type: kubernetes.io/basic-auth
data:
username: cm9vdAo=
password: MTIzNDU2Nzg=
---
apiVersion: v1
kind: Pod
metadata:
name: mysql-init-secret
spec:
containers:
- name: mariadb
image: 10.0.0.55:80/mykubernetes/mariadb:10.6
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-secret
key: password
[15:21:50 root@master1 storage]#kubectl apply -f 21-storage-secret-mysql-init.yaml
secret/mysql-secret created
pod/mysql-init-secret created
[15:21:58 root@master1 storage]#kubectl get all -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/mysql-init-secret 1/1 Running 0 6s 10.244.3.5 node1.noisedu.cn <none> <none>
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 7d15h <none>
[15:22:39 root@master1 storage]#kubectl exec -it mysql-init-secret -- mysql -uroot -p12345678 -e "show databases;"
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
# 测试如果密码加入回车的话,会报错.
[15:26:48 root@master1 storage]#echo "12345678" | base64
MTIzNDU2NzgK
[15:24:25 root@master1 storage]#cat 21-storage-secret-mysql-init-error.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysql-secret
type: kubernetes.io/basic-auth
data:
username: cm9vdAo=
password: MTIzNDU2NzgK
---
apiVersion: v1
kind: Pod
metadata:
name: mysql-init-secret
spec:
containers:
- name: mariadb
image: 10.0.0.55:80/mykubernetes/mariadb:10.6
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-secret
key: password
[15:26:15 root@master1 storage]#kubectl apply -f 21-storage-secret-mysql-init-error.yaml
secret/mysql-secret created
pod/mysql-init-secret created
[15:26:28 root@master1 storage]#kubectl get all -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/mysql-init-secret 1/1 Running 0 10s 10.244.3.6 node1.noisedu.cn <none> <none>
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 7d15h <none>
[15:26:38 root@master1 storage]#kubectl exec -it mysql-init-secret -- mysql -uroot -p12345678 -e "show databases;"
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
command terminated with exit code 1
# tls 实验 - https
# 回到家目录,开始创建证书
[15:39:23 root@master1 storage]#cd
[15:42:10 root@master1 ~]#openssl genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................................+++++
..............................+++++
e is 65537 (0x010001)
[15:42:16 root@master1 ~]#openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Chengdu/L=Chengdu/O=DevOps/CN=www.noisedu.cn
Can't load /root/.rnd into RNG
140498693771712:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd
[15:42:19 root@master1 ~]#openssl rand -writerand .rnd
[15:43:05 root@master1 ~]#openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Chengdu/L=Chengdu/O=DevOps/CN=www.noisedu.cn
[15:44:01 root@master1 ~]#kubectl create secret tls nginx-ssl-secret --cert=tls.crt --key=tls.key
secret/nginx-ssl-secret created
# 通过configmap导入nginx配置文件
[15:45:06 root@master1 storage]#cat nginx-ssl-conf.d/myserver
myserver.conf myserver-gzip.cfg myserver-status.cfg
[15:45:06 root@master1 storage]#cat nginx-ssl-conf.d/myserver.conf
server {
listen 443 ssl;
server_name www.sswang.com;
ssl_certificate /etc/nginx/certs/tls.crt;
ssl_certificate_key /etc/nginx/certs/tls.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
include /etc/nginx/conf.d/myserver-*.cfg;
location / {
root /usr/share/nginx/html;
}
}
server {
listen 80;
server_name www.sswang.com;
return 301 https://$host$request_uri;
}
[15:46:48 root@master1 storage]#cat nginx-ssl-conf.d/myserver-status.cfg
location /nginx-status {
stub_status on;
access_log off;
}
[15:44:46 root@master1 storage]#kubectl create configmap nginx-ssl-conf --from-file=nginx-ssl-conf.d/
configmap/nginx-ssl-conf created
# 开始配置资源文件, Configmap和secret之前已配置好
[15:47:51 root@master1 storage]#cat 22-storage-secret-nginx-ssl.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx-ssl-server
namespace: default
spec:
containers:
- image: 10.0.0.55:80/mykubernetes/nginx:1.21.3
name: nginx-ssl-server
volumeMounts:
- name: nginxcerts
mountPath: /etc/nginx/certs/
readOnly: true
- name: nginxconfs
mountPath: /etc/nginx/conf.d/
readOnly: true
volumes:
- name: nginxcerts
secret:
secretName: nginx-ssl-secret
- name: nginxconfs
configMap:
name: nginx-ssl-conf
optional: false
# 开始测试
[15:47:54 root@master1 storage]#kubectl apply -f 22-storage-secret-nginx-ssl.yaml
pod/nginx-ssl-server created
[15:49:24 root@master1 storage]#kubectl get all -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/nginx-ssl-server 1/1 Running 0 5s 10.244.4.3 node2.noisedu.cn <none> <none>
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 7d16h <none>
[15:49:29 root@master1 storage]#curl https://10.244.4.3
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
[15:49:56 root@master1 storage]#curl -k https://10.244.4.3
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[15:50:00 root@master1 storage]#curl http://10.244.4.3
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.21.4</center>
</body>
</html>
浙公网安备 33010602011771号