012.Kubernetes的configmap和secret配置
使用configmap对多有的配置文件进行统一管理
一 configmap配置管理
1.1 检查mysql的配置
[root@docker-server1 storage]# kubectl get pods
NAME READY STATUS RESTARTS AGE busybox-674bd96f74-8d7ml 0/1 Pending 0 4d16h hello-daemonset-gmmz7 1/1 Running 0 112m hello-deployment-5fdb46d67c-gw2t6 1/1 Running 0 4d15h hello-deployment-5fdb46d67c-s68tf 1/1 Running 0 5d17h hello-deployment-5fdb46d67c-vzb4f 1/1 Running 0 4d15h mysql-7767cffc57-jth7j 1/1 Running 0 24m nginx 2/2 Running 50 8d wordpress-6cbb67575d-6zgx7 1/1 Running 0 107m
[root@docker-server1 storage]# kubectl exec -it mysql-7767cffc57-jth7j /bin/bash
root@mysql-7767cffc57-jth7j:/# cat /etc/mysql/my.cnf
# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2.0, # as published by the Free Software Foundation. # # This program is also distributed with certain software (including # but not limited to OpenSSL) that is licensed under separate terms, # as designated in a particular file or component or in included license # documentation. The authors of MySQL hereby grant you an additional # permission to link the program and your derivative works with the # separately licensed software that they have included with MySQL. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License, version 2.0, for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA !includedir /etc/mysql/conf.d/ !includedir /etc/mysql/mysql.conf.d/
root@mysql-7767cffc57-jth7j:/# cat /etc/mysql/conf.d/docker.cnf
[mysqld] skip-host-cache skip-name-resolve
root@mysql-7767cffc57-jth7j:/# cat /etc/mysql/conf.d/mysql.cnf
[mysql]
1.2 通过configmap修改MySQL配置文件
[root@docker-server1 ingress]# mkdir /yamls/configmaps
[root@docker-server1 ingress]# cd /yamls/configmaps
[root@docker-server1 configmaps]# vim mysql-config.yaml
apiVersion: v1 kind: ConfigMap metadata: name: mysql-config namespace: default data: mysql-pass: "RedHat123" mysql-database: "wordpress" custom.cnf: | [mysqld] log-bin = mysql-bin server-id = 1
1.3 运行
[root@docker-server1 configmaps]# kubectl apply -f mysql-config.yaml
[root@docker-server1 configmaps]# kubectl get configmap
NAME DATA AGE mysql-config 3 19s
[root@docker-server1 configmaps]# kubectl describe configmap mysql-config
Name: mysql-config Namespace: default Labels: <none> Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"v1","data":{"custom.cnf":"[mysqld]\nlog-bin = mysql-bin\nserver-id = 1\n","mysql-database":"wordpress","mysql-pass":"RedHat... Data ==== custom.cnf: ---- [mysqld] log-bin = mysql-bin server-id = 1 mysql-database: ---- wordpress mysql-pass: ---- RedHat123 Events: <none>
1.4 修改deployment发布文件
[root@docker-server1 configmaps]# vim /yamls/deployment/mysql-deployment.yaml
apiVersion: apps/v1 kind: Deployment metadata: name: mysql namespace: default spec: replicas: 1 selector: matchLabels: app: mysql template: metadata: labels: app: mysql spec: # volumes: # - name: mydata # nfs: # server: 192.168.132.133 # path: /data/mysql volumes: - name: mydata persistentVolumeClaim: claimName: pvc-rwo - name: config-volume configMap: name: mysql-config items: - key: custom.cnf path: custom.cnf containers: - name: mysql image: mysql:5.7 volumeMounts: - name: mydata mountPath: /var/lib/mysql - name: config-volume mountPath: /etc/mysql/conf.d ports: - containerPort: 3306 env: - name: MYSQL_ROOT_PASSWORD valueFrom: configMapKeyRef: name: mysql-config key: mysql-pass - name: MYSQL_DATABASE valueFrom: configMapKeyRef: name: mysql-config key: mysql-database
1.6 验证
[root@docker-server1 configmaps]# kubectl exec -it mysql-d7dfdd964-gs726 /bin/bash
root@mysql-d7dfdd964-gs726:/# mysql -uroot -pRedHat123
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
| wordpress |
+--------------------+
root@mysql-d7dfdd964-gs726:/# cd /etc/mysql/conf.d/
root@mysql-d7dfdd964-gs726:/etc/mysql/conf.d# ls
custom.cnf
root@mysql-d7dfdd964-gs726:/etc/mysql/conf.d# cat custom.cnf
[mysqld] log-bin = mysql-bin server-id = 1
pods已经读取配置中心的定义的文件
二 Secret配置管理
2.1 拉取镜像仓库harbor
[root@docker-server3 ~]# cd /usr/local/harbor/
[root@docker-server3 harbor]# ls
ommon docker-compose.yml harbor.yml install.sh LICENSE pki prepare
[root@docker-server3 harbor]# ./install.sh
✔ ----Harbor has been installed and started successfully.---- Now you should be able to visit the admin portal at https://darren.yutian.com. For more details, please visit https://github.com/goharbor/harbor .
2.2 使用私有仓库部署一个nginx
复制镜像pull命令
docker pull darren.yutian.com/library/nginx:1.15
[root@docker-server1 deployment]# vi harbor-nginx-daemonset.yaml
apiVersion: apps/v1 kind: Deployment metadata: name: hello-secret namespace: default spec: selector: matchLabels: name: hello-secret template: metadata: labels: name: hello-secret spec: containers: - name: webserver image: darren.yutian.com/library/nginx:1.15
[root@docker-server1 deployment]# cat /etc/hosts
192.168.132.133 darren.yutian.com hello.example.com
[root@docker-server1 deployment]# cat /etc/docker/daemon.json
{ "insecure-registries":["http://192.168.132.133:5000","https://darren.yutian.com"], "registry-mirrors":["https://o0o4czij.mirror.aliyuncs.com"] }
2.3 删除掉本地的密码文件
[root@docker-server3 harbor]# cat /root/.docker/config.json
{ "auths": { "darren.yutian.com": { "auth": "YWRtaW46SGFyYm9yMTIzNDU=" } }, "HttpHeaders": { "User-Agent": "Docker-Client/19.03.5 (linux)" } }
[root@docker-server3 harbor]# rm -rf /root/.docker/config.json
同时删除本地的nginx镜像
[root@docker-server3 harbor]# docker image ls|grep nginx|awk '{print $3}' |xargs docker rmi -f
2.4 运行deployment
[root@docker-server1 deployment]# kubectl apply -f harbor-nginx-daemonset.yaml
deployment.apps/hello-secret created
[root@docker-server1 deployment]# kubectl get pods
NAME READY STATUS RESTARTS AGE busybox-674bd96f74-8d7ml 0/1 Pending 0 4d17h hello-deployment-5fdb46d67c-2zt5z 1/1 Running 0 10m hello-deployment-5fdb46d67c-jc27w 1/1 Running 0 10m hello-deployment-5fdb46d67c-x6k8n 1/1 Running 0 10m hello-secret-689dc66f44-vrdhv 0/1 ErrImagePull 0 3s mysql-d7dfdd964-gs726 1/1 Running 0 64m nginx 2/2 Running 51 8d wordpress-6cbb67575d-6zgx7 1/1 Running 0 3h16m
2.5 查看详细信息
[root@docker-server1 deployment]# kubectl describe pods hello-secret-689dc66f44-vrdhv
Name: hello-secret-689dc66f44-vrdhv Namespace: default Priority: 0 Node: 192.168.132.133/192.168.132.133 Start Time: Sat, 18 Jan 2020 02:40:40 -0500 Labels: name=hello-secret pod-template-hash=689dc66f44 Annotations: <none> Status: Pending IP: 10.244.2.32 IPs: IP: 10.244.2.32 Controlled By: ReplicaSet/hello-secret-689dc66f44 Containers: webserver: Container ID: Image: darren.yutian.com/library/nginx:1.15 Image ID: Port: <none> Host Port: <none> State: Waiting Reason: ErrImagePull Ready: False Restart Count: 0 Environment: <none> Mounts: /var/run/secrets/kubernetes.io/serviceaccount from default-token-bwbrn (ro) Conditions: Type Status Initialized True Ready False ContainersReady False PodScheduled True Volumes: default-token-bwbrn: Type: Secret (a volume populated by a Secret) SecretName: default-token-bwbrn Optional: false QoS Class: BestEffort Node-Selectors: <none> Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s node.kubernetes.io/unreachable:NoExecute for 300s Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled <unknown> default-scheduler Successfully assigned default/hello-secret-689dc66f44-vrdhv to 192.168.132.133 Normal Pulling 29s (x4 over 109s) kubelet, 192.168.132.133 Pulling image "darren.yutian.com/library/nginx:1.15" Warning Failed 29s (x4 over 109s) kubelet, 192.168.132.133 Failed to pull image "darren.yutian.com/library/nginx:1.15": rpc error: code = Unknown desc = Error response from daemon: pull access denied for darren.yutian.com/library/nginx, repository does not exist or may require 'docker login': denied: requested access to the resource is denied Warning Failed 29s (x4 over 109s) kubelet, 192.168.132.133 Error: ErrImagePull Normal BackOff 14s (x5 over 109s) kubelet, 192.168.132.133 Back-off pulling image "darren.yutian.com/library/nginx:1.15" Warning Failed 14s (x5 over 109s) kubelet, 192.168.132.133 Error: ImagePullBackOff
拉取镜像失败,是因为没有验证
2.6 创建secret的yaml文件
当生产中节点较多,需要从自己的私有仓库拉取镜像,需要每个登陆拉取。就可以使用secret文件
可以把 /root/.docker/config.json文件放进secret中
{ "auths": { "darren.yutian.com": { "auth": "YWRtaW46SGFyYm9yMTIzNDU=" } }, "HttpHeaders": { "User-Agent": "Docker-Client/19.03.5 (linux)" } }
加密
[root@docker-server1 secrets]# docker login darren.yutian.com
[root@docker-server1 secrets]# cat /root/.docker/config.json |base64 -w 0
ewoJImF1dGhzIjogewoJCSJkYXJyZW4ueXV0aWFuLmNvbSI6IHsKCQkJImF1dGgiOiAiWVdSdGFXNDZTR0Z5WW05eU1USXpORFU9IgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOS4wMy41IChsaW51eCkiCgl9Cn0=
[root@docker-server1 secrets]# vim hub.yaml
apiVersion: v1 kind: Secret metadata: name: hub-secret namespace: default type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: ewoJImF1dGhzIjogewoJCSJkYXJyZW4ueXV0aWFuLmNvbSI6IHsKCQkJImF1dGgiOiAiWVdSdGFXNDZTR0Z5WW05eU1USXpORFU9IgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOS4wMy41IChsaW51eCkiCgl9Cn0=
2.7 生成secret
[root@docker-server1 secrets]# kubectl apply -f hub.yaml
secret/hub-secret created
[root@docker-server1 secrets]# kubectl get secret
NAME TYPE DATA AGE default-token-bwbrn kubernetes.io/service-account-token 3 8d hub-secret kubernetes.io/dockerconfigjson 1 7s
[root@docker-server1 secrets]# rm -rf /root/.docker/config.json
2.8 应用secret验证
[root@docker-server1 secrets]# vi ../deployment/harbor-nginx-daemonset.yaml
apiVersion: apps/v1 kind: Deployment metadata: name: hello-secret namespace: default spec: selector: matchLabels: name: hello-secret template: metadata: labels: name: hello-secret spec: imagePullSecrets: - name: hub-secret containers: - name: webserver image: darren.yutian.com/library/nginx:1.15 ports: - containerPort: 80
[root@docker-server1 secrets]# kubectl apply -f ../deployment/harbor-nginx-daemonset.yaml
deployment.apps/hello-secret configured
[root@docker-server1 secrets]# kubectl get pods
[root@docker-server1 secrets]# kubectl get pods NAME READY STATUS RESTARTS AGE busybox-674bd96f74-8d7ml 0/1 Pending 0 4d18h hello-deployment-5fdb46d67c-2zt5z 1/1 Running 0 29m hello-deployment-5fdb46d67c-jc27w 1/1 Running 0 28m hello-deployment-5fdb46d67c-x6k8n 1/1 Running 0 29m hello-secret-5858858899-m4c7t 1/1 Running 0 10s mysql-d7dfdd964-gs726 1/1 Running 0 83m nginx 2/2 Running 52 8d wordpress-6cbb67575d-6zgx7 1/1 Running 0 3h35m
secret验证方式试验成功
博主声明:本文的内容来源主要来自誉天教育晏威老师,由本人实验完成操作验证,需要的博友请联系誉天教育(http://www.yutianedu.com/),获得官方同意或者晏老师(https://www.cnblogs.com/breezey/)本人同意即可转载,谢谢!
---------------------------------------------------------------------------
个性签名:我以为我很颓废,今天我才知道,原来我早报废了。
如果觉得本篇文章最您有帮助,欢迎转载,且在文章页面明显位置给出原文链接!记得在右下角点个“推荐”,博主在此感谢!
