k3s(2)

本文涉及的产品
云数据库 RDS MySQL,集群系列 2核4GB
推荐场景:
搭建个人博客
RDS MySQL Serverless 基础系列,0.5-2RCU 50GB
密钥管理服务KMS,1000个密钥,100个凭据,1个月
简介: k3s(2)

ConfigMap与Secret

参考文档:

https://kubernetes.io/zh-cn/docs/concepts/configuration/

https://kubernetes.io/zh-cn/docs/concepts/configuration/configmap/

https://kubernetes.io/zh-cn/docs/concepts/configuration/secret/

https://kubernetes.io/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/

ConfigMap

在Docker和nginx中,我们一般通过绑定挂载的方式将配置文件挂载到容器里。

在Kubernetes集群中,容器可能被调度到任意节点,配置文件需要能在集群任意节点上访问、分发和更新。

configMap如同名字所说,

  • 配置映射,就是用来保存映射的配置,需要注意的是非加密的,如果需要加密需要用Secret
  • ConfigMap 将环境配置信息与 容器镜像 解耦,便于配置的修改。
  • 当主机的配置文件修改,对应容器的配置文件也会修改
  • 类似微服务的nacos的配置中心
  • 不能超过1MB,不适合保存数据,可用于简单的配置文件映射
  • 超出此限制,需要考虑挂载存储卷或者访问文件存储服务。

ConfigMap用法

流程

  • 配置configmap
  • 使用volumes注入
  • 将注入name和容器路径绑定

ConfigMap配置示例

先创建一个配置文件mysql-pod-ConfigMap.yaml,先把MySQL的容器配置文件复制过来,只修改pod的name即可

然后拿官方文档的示例进行修改,然后加到mysql的容器配置里

apiVersion: v1
kind: ConfigMap
metadata:
  name: mysql-config
data:
  # 这里写conf.d的配置
  mysql.cnf: |
    [mysqld]
    character-set-server=utf8mb4
    collation-server=utf8mb4_general_ci
    init-connect='SET NAMES utf8mb4'
    [client]
    default-character-set=utf8mb4
    [mysql]
    default-character-set=utf8mb4

加到mysql-pod-ConfigMap.yaml里,注意---分割开

apiVersion: v1
kind: Pod
metadata:
  name: mysql-pod-configmap
  labels:
    app: mysql
spec:
  containers:
    - name: mysql
      image: mysql:5.7
      env:
        - name: MYSQL_ROOT_PASSWORD
          value: "123456"
      volumeMounts:
        - mountPath: /var/lib/mysql #容器中的目录
          name: data-volume
  volumes:
    - name: data-volume
      hostPath:
        # directory location on host
        path: /home/mysql/data
        # this field is optional
        type: DirectoryOrCreate
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: mysql-config
data:
  # 这里写conf.d的配置
  mysql.cnf: |
    [mysqld]
    character-set-server=utf8mb4
    collation-server=utf8mb4_general_ci
    init-connect='SET NAMES utf8mb4'
    [client]
    default-character-set=utf8mb4
    [mysql]
    default-character-set=utf8mb4

同样在官方文档看到需要用卷来注入配置文件,

同时在volumeMounts添加绑定,让该配置文件和容器的/etc/mysql/conf.d绑定,这个可以在mysql里看到

apiVersion: v1
kind: Pod
metadata:
  name: mysql-pod-configmap
  labels:
    app: mysql
spec:
  containers:
    - name: mysql
      image: mysql:5.7
      env:
        - name: MYSQL_ROOT_PASSWORD
          value: "123456"
      volumeMounts:
        - mountPath: /var/lib/mysql
          name: data-volume
        - mountPath: /etc/mysql/conf.d
          name: conf-volume
          readOnly: true
  volumes:
    - name: conf-volume
      configMap:
        name: mysql-config
    - name: data-volume
      hostPath:
        # directory location on host
        path: /home/mysql/data
        # this field is optional
        type: DirectoryOrCreate
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: mysql-config
data:
  mysql.cnf: |
    [mysqld]
    character-set-server=utf8mb4
    collation-server=utf8mb4_general_ci
    init-connect='SET NAMES utf8mb4'
    [client]
    default-character-set=utf8mb4
    [mysql]
    default-character-set=utf8mb4

此时就可以重新启动该服务了,在启动前我们先看一下之前的配置

[root@k8s ~]# kubectl exec mysql-pod -it -- /bin/bash
root@mysql-pod:/# mysql -uroot -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.7.36 MySQL Community Server (GPL)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show variables like '%char%';
+--------------------------+----------------------------+
| Variable_name            | Value                      |
+--------------------------+----------------------------+
| character_set_client     | latin1                     |
| character_set_connection | latin1                     |
| character_set_database   | latin1                     |
| character_set_filesystem | binary                     |
| character_set_results    | latin1                     |
| character_set_server     | latin1                     |
| character_set_system     | utf8                       |
| character_sets_dir       | /usr/share/mysql/charsets/ |
+--------------------------+----------------------------+
8 rows in set (0.00 sec)

重新通过新的配置启动,首先查看我们定义的mysql-config的内容

[root@k8s yaml-demo]# kubectl apply -f mysql-pod-ConfigMap.yaml 
pod/mysql-pod-configmap created
configmap/mysql-config unchanged
[root@k8s yaml-demo]# kubectl describe cm mysql-config
Name:         mysql-config
Namespace:    default
Labels:       <none>
Annotations:  <none>
Data
====
mysql.cnf:
----
[mysqld]
character-set-server=utf8mb4
collation-server=utf8mb4_general_ci
init-connect='SET NAMES utf8mb4'
[client]
default-character-set=utf8mb4
[mysql]
default-character-set=utf8mb4
BinaryData
====
Events:  <none>

因为我们通过ConfigMap修改了mysql容器的配置文件,

所以这个配置文件启动的容器mysql编码应该都是utf-8,发现确实如此

[root@k8s yaml-demo]# kubectl get pod
NAME                  READY   STATUS    RESTARTS   AGE
mysql-pod-configmap   1/1     Running   0          2m14s
[root@k8s yaml-demo]# kubectl exec mysql-pod-configmap -it -- /bin/bash
root@mysql-pod-configmap:/# mysql -uroot -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.36 MySQL Community Server (GPL)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show variables like '%char%';
+--------------------------+----------------------------+
| Variable_name            | Value                      |
+--------------------------+----------------------------+
| character_set_client     | utf8mb4                    |
| character_set_connection | utf8mb4                    |
| character_set_database   | utf8mb4                    |
| character_set_filesystem | binary                     |
| character_set_results    | utf8mb4                    |
| character_set_server     | utf8mb4                    |
| character_set_system     | utf8                       |
| character_sets_dir       | /usr/share/mysql/charsets/ |
+--------------------------+----------------------------+
8 rows in set (0.00 sec)

接着我们可以使用配置映射的修改功能,修改mysql-config的内容,然后查看容器的配置是否动态修改了

[root@k8s yaml-demo]# kubectl edit cm mysql-config
configmap/mysql-config edited
可以加个注释
# this is a new comment
[root@k8s yaml-demo]# kubectl exec mysql-pod-configmap -it -- /bin/bash
root@mysql-pod-configmap:/# cat /etc/mysql/conf.d/mysql.cnf 
[mysqld]
character-set-server=utf8mb4
collation-server=utf8mb4_general_ci
init-connect='SET NAMES utf8mb4'
# this is a new comment
[client]
default-character-set=utf8mb4
[mysql]
default-character-set=utf8mb4

Secret

k8s-secret
k8s-使用kubectl管理secret
k8s-secret-spec
阿里云-应用配置管理

与docker的docker Secrets相对应

  • Secret 用于保存机密数据的对象。一般由于保存密码令牌或密钥等。
  • data字段用来存储 base64 编码数,不允许使用明文
  • stringData存储未编码的字符串。
  • Secret 意味着你不需要在应用程序代码中包含机密数据,减少机密数据(如密码)泄露的风险。
  • Secret 可以用作环境变量、命令行参数或者存储卷文件。

Secret用法

还是先复制一份上面的文件命名为mysql-pod-ConfigMap-Secret.yaml

并修改name

因为Secret是存储base64 编码数据,不允许使用明文

所以在配置前先加密mysql密码

# base64加密
echo -n '123456' | base64
# base64解密
echo 'MTIzNDU2' | base64 --decode
-n表示忽略回车符
不加-n
[root@k8s yaml-demo]# echo '123456' | base64
MTIzNDU2Cg==
[root@k8s yaml-demo]# echo 'Cg==' | base64 --decode
[root@k8s yaml-demo]# 
[root@k8s yaml-demo]# echo '1234567' | base64
MTIzNDU2Nwo=
[root@k8s yaml-demo]# echo -n '1234567' | base64
MTIzNDU2Nw==

然后通过官方文档来添加Secret配置,只需要修改name和对应的PASSWORD,

USER_NAME这里就不需要加密了,不用Secret保存

Secret配置示例

apiVersion: v1
kind: Secret
metadata:
  name: mysql-password
type: Opaque
data:
  PASSWORD: MTIzNDU2

然后修改容器的mysql设置

用框中内容替换原来mysql密码value的地方

apiVersion: v1
kind: Secret
metadata:
  name: mysql-password
type: Opaque
data:
  PASSWORD: MTIzNDU2
---
apiVersion: v1
kind: Pod
metadata:
  name: mysql-pod-secret
  labels:
    app: mysql
spec:
  containers:
    - name: mysql
      image: mysql:5.7
      env:
        - name: MYSQL_ROOT_PASSWORD
          # value: "123456"
          valueFrom:
            secretKeyRef:
              name: mysql-password
              key: PASSWORD
              optional: false # 此值为默认值;表示secret已经存在了
      volumeMounts:
        - mountPath: /var/lib/mysql #容器中的目录
          name: data-volume
        - mountPath: /etc/mysql/conf.d
          name: conf-volume
          readOnly: true
  volumes:
    # 注入ConfigMap
    - name: conf-volume
      configMap:
        name: mysql-config
    - name: data-volume
      hostPath:
        # directory location on host
        path: /home/mysql/data
        # this field is optional
        type: DirectoryOrCreate
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: mysql-config
data:
  # 这里写conf.d的配置
  mysql.cnf: |
    [mysqld]
    character-set-server=utf8mb4
    collation-server=utf8mb4_general_ci
    init-connect='SET NAMES utf8mb4'
    [client]
    default-character-set=utf8mb4
    [mysql]
    default-character-set=utf8mb4

启动,通过123456登陆成功

[root@k8s yaml-demo]# kubectl apply -f mysql-pod-ConfigMap-Secret.yaml 
secret/mysql-password created
pod/mysql-pod-secret created
configmap/mysql-config configured
[root@k8s yaml-demo]# kubectl get pod
NAME               READY   STATUS    RESTARTS   AGE
mysql-pod-secret   1/1     Running   0          11s
[root@k8s yaml-demo]# kubectl exec mysql-pod-secret -it -- /bin/bash
root@mysql-pod-secret:/# mysql -uroot -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.36 MySQL Community Server (GPL)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> exit

查看secret配置,发现加密数据是不显示的,但是edit和get加上权限是可以明文查看的

[root@k8s yaml-demo]# kubectl describe secret/mysql-password
Name:         mysql-password
Namespace:    default
Labels:       <none>
Annotations:  <none>
Type:  Opaque
Data
====
PASSWORD:  6 bytes
[root@k8s yaml-demo]# kubectl get secret mysql-password -o yaml
apiVersion: v1
data:
  PASSWORD: MTIzNDU2
kind: Secret
metadata:
  creationTimestamp: "2022-12-14T12:58:57Z"
  name: mysql-password
  namespace: default
  resourceVersion: "24646"
  uid: f9acb285-812a-4c58-bbc2-048de72980bd
type: Opaque
[root@k8s yaml-demo]# kubectl edit secret/mysql-password
Edit cancelled, no changes made.

注意:环境变量使用secret,

  • 当secret使用edit修改后,环境变量不会自动更改,千万不要使用这个,会导致密码永远无法改变
  • 直接通过yaml重启也不行

需要在删除原pod后,上传新的yaml,然后启动新pod

如果在secret和configmap还启动的情况下修改yaml,k8s会在主机生成一种yaml,

导致密码一直不变,

几个注意事项

  • 直接删除节点,你创建的secret和configmap是还在的
  • 在secret、pod启动的时候,不要修改yaml,不要edit修改secret
[root@k8s yaml-demo]# kubectl delete pod mysql-pod-secret
pod "mysql-pod-secret" deleted
[root@k8s yaml-demo]# kubectl get secret
NAME             TYPE     DATA   AGE
mysql-password   Opaque   1      7m1s
[root@k8s yaml-demo]# kubectl get configmap
NAME               DATA   AGE
kube-root-ca.crt   1      6d1h
mysql-config       1      8m7s

先说正确的流程,删除后修改yaml,然后启动

kubectl delete pod mysql-pod-secret
kubectl delete secret mysql-password
kubectl delete cm mysql-config
vim mysql-pod-ConfigMap-Secret.yaml 
kubectl apply -f mysql-pod-ConfigMap-Secret.yaml
这时启动,一般会出现这个,那是容器在下载对应的镜像,和第一次启动容器的情况一致
[root@k8s yaml]# kubectl exec mysql-pod-secret -it -- /bin/bash
error: unable to upgrade connection: container not found ("mysql")

如果想使用replace替换,需要是新建的yaml,不能直接修改原yaml

kubectl apply -f mysql-pod-ConfigMap-Secret.yaml
vim mysql-pod-ConfigMap-Secrets.yaml 
kubectl replace --force -f mysql-pod-ConfigMap-Secrets.yaml

失败案例一--直接edit---导致secret永远无法修改

修改mysql密码123456变为1234567,然后edit修改,发现没有动态修改,

这种情况与configmap一样yaml文件也不会被修改

[root@k8s yaml-demo]# echo -n '1234567' | base64
MTIzNDU2Nw==
[root@k8s yaml-demo]# kubectl edit secret/mysql-password
secret/mysql-password edited
PASSWORD: MTIzNDU2
改为
PASSWORD: MTIzNDU2Nw==
[root@k8s yaml-demo]# kubectl exec mysql-pod-secret -it -- /bin/bash
root@mysql-pod-secret:/# mysql -uroot -p123456
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.7.36 MySQL Community Server (GPL)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

失败案例二-修改原yaml、replace重启

不要在第一种失败案例的基础上尝试,因为第一种失败案例导致密码已经无法修改了

我们重启pod,因为我们是yaml启动,

所以修改yaml后,直接使用 kubectl replace --force -f xxx.yaml 来强制替换Pod 的 API 对象,从而达到重启的目的。

这里如果是在原yaml修改的会导致密码直接变成root了,

如果是用新建的yaml启动会成功修改密码

发现mysql密码只能用root登录了

[root@k8s yaml-demo]# kubectl replace --force -f mysql-pod-ConfigMap-Secret.yaml 
secret "mysql-password" deleted
pod "mysql-pod-secret" deleted
configmap "mysql-config" deleted
secret/mysql-password replaced
pod/mysql-pod-secret replaced
configmap/mysql-config replaced
[root@k8s yaml-demo]# kubectl exec mysql-pod-secret -it -- /bin/bash
root@mysql-pod-secret:/# mysql -uroot -p123456
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.36 MySQL Community Server (GPL)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>

成功案例一-删除、修改、启动

应该先删除,然后修改并启动。

[root@k8s yaml-demo]# kubectl delete pod mysql-pod-secret
pod "mysql-pod-secret" deleted
[root@k8s yaml-demo]# kubectl delete secret mysql-password
secret "mysql-password" deleted
[root@k8s yaml-demo]# kubectl delete cm mysql-config
configmap "mysql-config" deleted
[root@k8s yaml-demo]# kubectl apply -f mysql-pod-ConfigMap-Secret.yaml 
secret/mysql-password created
pod/mysql-pod-secret created
configmap/mysql-config created
[root@k8s yaml-demo]# kubectl exec mysql-pod-secret -it -- /bin/bash
error: unable to upgrade connection: container not found ("mysql")
root@mysql-pod-secret:/# mysql -uroot -p1234567
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.7.36 MySQL Community Server (GPL)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>

成功案例二-新建、替换

新建一个yaml文件,mysql-pod-ConfigMap-Secrets.yaml,只修改密码root变为123456

[root@k8s yaml]# kubectl apply -f mysql-pod-ConfigMap-Secret.yaml
secret/mysql-password created
pod/mysql-pod-secret created
configmap/mysql-config created
[root@k8s yaml]# kubectl exec mysql-pod-secret -it -- /bin/bash
root@mysql-pod-secret:/# mysql -uroot -proot
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.36 MySQL Community Server (GPL)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> exit;
Bye
root@mysql-pod-secret:/# exit;
exit
[root@k8s yaml]# kubectl replace --force -f mysql-pod-ConfigMap-Secrets.yaml 
secret "mysql-password" deleted
pod "mysql-pod-secret" deleted
configmap "mysql-config" deleted
secret/mysql-password replaced
pod/mysql-pod-secret replaced
configmap/mysql-config replaced
[root@k8s yaml]# kubectl exec mysql-pod-secret -it -- /bin/bash
root@mysql-pod-secret:/# mysql -uroot -proot
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
root@mysql-pod-secret:/# mysql -uroot -p123456
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.36 MySQL Community Server (GPL)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> exit;
Bye
root@mysql-pod-secret:/# exit;
exit
相关实践学习
通过Ingress进行灰度发布
本场景您将运行一个简单的应用,部署一个新的应用用于新的发布,并通过Ingress能力实现灰度发布。
容器应用与集群管理
欢迎来到《容器应用与集群管理》课程,本课程是“云原生容器Clouder认证“系列中的第二阶段。课程将向您介绍与容器集群相关的概念和技术,这些概念和技术可以帮助您了解阿里云容器服务ACK/ACK Serverless的使用。同时,本课程也会向您介绍可以采取的工具、方法和可操作步骤,以帮助您了解如何基于容器服务ACK Serverless构建和管理企业级应用。 学习完本课程后,您将能够: 掌握容器集群、容器编排的基本概念 掌握Kubernetes的基础概念及核心思想 掌握阿里云容器服务ACK/ACK Serverless概念及使用方法 基于容器服务ACK Serverless搭建和管理企业级网站应用
目录
相关文章
|
存储 Kubernetes 关系型数据库
|
7月前
|
负载均衡 网络协议 算法
slb监听协议与端口
SLB是云服务商提供的负载均衡服务,用于分发客户端请求到多台后端服务器,提升服务可用性和响应速度。关键概念包括监听协议(TCP、UDP、HTTP、HTTPS、TCPSSL)和监听端口。监听协议决定了SLB处理请求的方式,而监听端口则是SLB接收请求的入口。配置时需根据应用选择合适协议和端口,并可设置负载均衡算法(如轮询、最少连接等)。客户端应通过SLB统一入口访问后端服务,避免绕过SLB导致的问题。
602 2
|
7月前
|
Kubernetes Linux Windows
第二章 Linux和windows部署helm 客户端
第二章 Linux和windows部署helm 客户端
181 0
|
7月前
|
关系型数据库 MySQL 数据库
Docker部署Mysql数据库详解
Docker是一种流行的容器化平台,可以简化应用程序的部署和管理。在本博客中,我们将探讨如何使用Docker部署两个广泛使用的数据库:MySQL。我们将提供详细的步骤和相应的命令,以帮助您轻松地在Docker容器中设置和运行这个数据库。
1136 0
|
前端开发
SpringMVC 下载文件(直接在浏览器打开)
SpringMVC 下载文件(直接在浏览器打开)
182 0
|
存储 Linux 虚拟化
开源虚拟化平台oVirt4.3简单搭建实践(下)
开源虚拟化平台oVirt4.3简单搭建实践(下)
1202 0
开源虚拟化平台oVirt4.3简单搭建实践(下)
|
4月前
|
Java
Java系列之 重命名文件/图片,renameTo() 方法的使用
这篇文章介绍了Java中File类的renameTo()方法,包括其使用方式、参数、返回值以及一些使用时的注意事项,并通过示例代码演示了如何使用该方法来重命名文件。
Java系列之 重命名文件/图片,renameTo() 方法的使用
|
4月前
|
关系型数据库 数据库 数据安全/隐私保护
在 Postgres 中使用模式
【8月更文挑战第11天】
120 0
在 Postgres 中使用模式
|
4月前
|
关系型数据库 MySQL 数据库
postgresql使用mysql_fdw连接mysql
通过以上步骤,你可以在PostgreSQL中访问和查询远程MySQL服务器的数据,这对于数据集成和多数据库管理非常有用。
282 0
|
6月前
|
存储 Unix Shell
技术好文:TCL脚本语言基础介绍
技术好文:TCL脚本语言基础介绍
391 1