Skip to content

k8s学习笔记(6)——Secret & ConfigMap

一、Secret

对于用户名、密码、token、密钥等这些比较敏感的信息,不应该直接写在配置文件中,而应该创建成Secret来使用。

1. 创建Secret

Secret的创建主要有如下几种方式:

(1) from literal

sh
$ kubectl create secret generic db-user-pass --from-literal=username=admin --from-literal=password=123456

(2) from file

sh
$ echo -n admin > ./username
$ echo -n 123456 > ./password
$ kubectl create secret generic db-user-pass --from-file=./username --from-file=./password

(3) from env file

sh
$ echo username=admin >> ./env.txt
$ echo password=123456 >> ./env.txt
$ kubectl create secret generic db-user-pass --from-env-file=./env.txt

(4) from yml file

sh
$ echo -n 'admin' | base64
# YWRtaW4=

$ echo -n '123456' | base64
# MTIzNDU2

secret.yml:

yaml
apiVersion: v1
kind: Secret
metadata:
  name: db-user-pass
type: Opaque
data:
  username: YWRtaW4=
  password: MTIzNDU2

然后执行

sh
$ kubectl apply -f secret.yml

2. 查看Secret

如果要查看Secret,可以使用:

sh
$ kubectl describe secret db-user-pass

结果如下:

Name:         db-user-pass
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
password:  6 bytes
username:  5 bytes

这里无法查看到username和password的具体值,如果想要看具体的值,可以使用:

sh
$ kubectl edit secret db-user-pass

结果如下:

yaml
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
  password: MTIzNDU2
  username: YWRtaW4=
kind: Secret
metadata:
  creationTimestamp: 2019-02-13T16:16:08Z
  name: db-user-pass
  namespace: default
  resourceVersion: "13730"
  selfLink: /api/v1/namespaces/default/secrets/db-user-pass
  uid: aba61376-2faa-11e9-95b4-025000000001
type: Opaque

通过base64解码即可看到具体值:

sh
$ echo MTIzNDU2 | base64 --decode
# 123456

$ echo YWRtaW4= | base64 --decode
# admin

二、ConfigMap

ConfigMap与Secret非常类似,只不过是用来创建非敏感的配置信息,且以明文方式存储。

1. 创建ConfigMap

ConfigMap的创建与Secret一样,也支持以下几种方式:

(1) from literal

sh
$ kubectl create configmap appconfig --from-literal=appname=testapp --from-literal=locale=zh-CN

(2) from file

sh
$ echo -n testapp > ./appname
$ echo -n zh-CN > ./locale
$ kubectl create configmap appconfig --from-file=./appname --from-file=./locale

(3) from env file

sh
$ echo appname=testapp >> ./env.txt
$ echo locale=zh-CN >> ./env.txt
$ kubectl create configmap appconfig --from-env-file=./env.txt

(4) from yml file

configmap.yml:

yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: appconfig
data:
  appname: testapp
  locale: zh-CN

然后执行

sh
$ kubectl apply -f configmap.yml

2. 查看ConfigMap

如果要查看ConfigMap,可以使用:

sh
$ kubectl describe configmap appconfig

结果如下:

Name:         appconfig
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
appname:
----
testapp
locale:
----
zh-CN
Events:  <none>

三、在Pod中使用

Secret和ConfigMap都可以在Pod中使用,它们都支持两种方式:作为Volume或者作为环境变量。

1. 作为Volume

pod.yml:

yaml
apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mypod
    image: busybox
    args:
      - /bin/sh
      - -c
      - ls /etc/userpass; sleep 30000
    volumeMounts:
    - name: userpass
      mountPath: /etc/userpass
      readOnly: true
    - name: config
      mountPath: /etc/appconf
      readOnly: true

  volumes:
  - name: userpass
    secret:
      secretName: db-user-pass
  - name: config
    configMap:
      name: appconfig

然后执行:

sh
$ kubectl apply -f pod.yml
$ kubectl exec -it mypod sh

然后在Pod中执行:

sh
$ ls /etc/userpass/
# password username

$ cat /etc/userpass/password
# 123456

$ ls /etc/appconf/
# appname locale

可以看到会在Pod创建相应的文件,文件名就是Secret或者ConfigMap的key,文件内容是value。Secret的内容以明文方式存储。

也可以指定不同的文件名,例如:

yaml
apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mypod
    image: busybox
    args:
      - /bin/sh
      - -c
      - ls /etc/userpass; sleep 30000
    volumeMounts:
    - name: userpass
      mountPath: /etc/userpass
      readOnly: true
    - name: config
      mountPath: /etc/appconf
      readOnly: true

  volumes:
  - name: userpass
    secret:
      secretName: db-user-pass
      items:
      - key: username
        path: auth/username
      - key: password
        path: auth/password
  - name: config
    configMap:
      name: appconfig
      items:
      - key: appname
        path: appname

然后在Pod中执行:

sh
$ ls /etc/userpass/auth
# password username

$ ls /etc/appconf/
# appname

以Volume方式使用的Secret和ConfigMap支持动态更新,当Secret和ConfigMap内容发生改变时,在Pod内看到的文件内容也会跟着变化。

2. 作为环境变量

例如:

yaml
apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mypod
    image: busybox
    args:
      - /bin/sh
      - -c
      - ls /etc/userpass; sleep 30000
    env:
    - name: AUTH_USERNAME
      valueFrom:
        secretKeyRef:
          name: db-user-pass
          key: username
    - name: AUTH_PASSWORD
      valueFrom:
        secretKeyRef:
          name: db-user-pass
          key: password
    - name: CONF_APPNAME
      valueFrom:
        configMapKeyRef:
          name: appconfig
          key: appname
    - name: CONF_LOCALE
      valueFrom:
        configMapKeyRef:
          name: appconfig
          key: locale

进入Pod后执行:

sh
$ echo $AUTH_USERNAME
# admin

$ echo $AUTH_PASSWORD
# 123456

$ echo $CONF_APPNAME
# testapp-edit

$ echo $CONF_LOCALE
# zh-CN

作为环境变量使用的方式不支持Secret和ConfigMap的动态更新。