Kubernetes-Configmap配製映射、Secret用法及示例

1、ConfigMap

幾乎所有應用程序都會涉及到配置問題，configmap的作用就是方便管理應用配置

創建configmap可以從目錄，文件或者字符，格式：
kubectl create configmap

從目錄創建configmap：game-config

目錄中的每一個文件名:內容，在這個configmap下是一對k:v

創建

mkdir configmap
wget https://k8s.io/docs/tasks/configure-pod-container/configmap/kubectl/game.properties -O configmap/game.properties
wget https://k8s.io/docs/tasks/configure-pod-container/configmap/kubectl/ui.properties -O configmap/ui.properties
kubectl create configmap game-config --from-file=configmap/

查看

kubectl describe configmaps game-config
kubectl get configmaps game-config -o yaml
apiVersion: v1
data:
game.properties: |
enemies=aliens
lives=3
enemies.cheat=true
enemies.cheat.level=noGoodRotten
secret.code.passphrase=UUDDLRLRBABAS
secret.code.allowed=true
secret.code.lives=30
ui.properties: |
color.good=purple
color.bad=yellow
allow.textmode=true
how.nice.to.look=fairlyNice
kind: ConfigMap
metadata:
creationTimestamp: 2016-02-18T18:52:05Z
name: game-config
namespace: default
resourceVersion: “516”
selfLink: /api/v1/namespaces/default/configmaps/game-config
uid: b4952dc3-d670-11e5-8cd0-68f728db1985

從文件創建configmap

使用–from-file創建congfigmap：一次創建可以傳入多個文件
kubectl create configmap game-config-2 --from-file=configmap/game.properties --from-file=configmap/ui.properties
使用–from-env-file創建configmap：文件中的每一行作爲一個k:v保存在configmap中，例如lives=3，使用多個文件只有最後一個文件生效
kubectl create configmap game-config-env-file --from-env-file=configmap/game-env-file.properties
通過–from-file創建congfigmap，自定義key:
kubectl create configmap game-config-3 --from-file=game-special-key=configmap/game.properties

通過命令行字符串創建configmap：
使用–from-literal創建configmap：通過命令行字符串傳入k:v
kubectl create configmap special-config --from-literal=special.how=very --from-literal=special.type=charm

ConfigMap在容器內的使用

1、作爲pod中的環境變量使用，-name可以使用多次，從多個configmap中引入作爲環境變量
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod
spec:
containers:
- name: test-container
image: k8s.gcr.io/busybox
command: [ “/bin/sh”, “-c”, “env” ]
env:
# Define the environment variable
- name: SPECIAL_LEVEL_KEY
valueFrom:
configMapKeyRef:
# The ConfigMap containing the value you want to assign to SPECIAL_LEVEL_KEY
name: special-config
# Specify the key associated with the value
key: special.how
restartPolicy: Never

2、作爲數據卷掛在到pod制定路徑：
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod
spec:
containers:
- name: test-container
image: k8s.gcr.io/busybox
command: [ “/bin/sh”,"-c",“cat /etc/config/keys” ]
volumeMounts:
- name: config-volume
mountPath: /etc/config
volumes:
- name: config-volume
configMap:
name: special-config
items:
- key: special.level
path: keys
restartPolicy: Never

2、Secret

secret對象用來保存敏感信息，比如密碼，OAuth，ssh密鑰，token等信息。Secret可以作爲環境變量使用，也可以作爲數據卷在容器內使用，kubelet會定期檢查secret是否是最新的，secret的大小限制爲1MB.

1、自動創建secret

Create files needed for rest of example.
$ echo -n ‘admin’ > ./username.txt
$ echo -n ‘1f2d1e2e67df’ > ./password.txt
$ kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt
secret “db-user-pass” created

查看創建結果

$ kubectl get secrets
NAME TYPE DATA AGE
db-user-pass Opaque 2 51s

$ kubectl describe secrets/db-user-pass
Name: db-user-pass
Namespace: default
Labels:
Annotations:

Type: Opaque
Data

password.txt: 12 bytes
username.txt: 5 bytes

2、手動創建secret

$ echo -n ‘admin’ | base64
YWRtaW4=
$ echo -n ‘1f2d1e2e67df’ | base64
MWYyZDFlMmU2N2Rm

$ vim secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm

$ kubectl create -f ./secret.yaml
secret "mysecret” created

$ kubectl get secret mysecret -o yaml
apiVersion: v1
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
kind: Secret
metadata:
creationTimestamp: 2016-01-22T18:41:56Z
name: mysecret
namespace: default
resourceVersion: “164619”
selfLink: /api/v1/namespaces/default/secrets/mysecret
uid: cfee02d6-c137-11e5-8d73-42010af00002
type: Opaque

decode

$ echo ‘MWYyZDFlMmU2N2Rm’ | base64 --decode
1f2d1e2e67df

3、這是在卷中安裝密鑰的pod的示例：

apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:

• name: mypod
  image: redis
  volumeMounts:
  • name: foo
    mountPath: “/etc/foo”
    readOnly: true
    volumes:
• name: foo
  secret:
  secretName: mysecret

向特定路徑映射secret:
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:

• name: mypod
  image: redis
  volumeMounts:
  • name: foo
    mountPath: “/etc/foo”
    readOnly: true
    volumes:
• name: foo
  secret:
  secretName: mysecret
  items:
  • key: username
    path: my-group/my-username

secret文件權限:
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:

• name: mypod
  image: redis
  volumeMounts:
  • name: foo
    mountPath: “/etc/foo”
    volumes:
• name: foo
  secret:
  secretName: mysecret
  defaultMode: 256