ConfigMap与Secret
参考文档:
https://kubernetes.io/zh-cn/docs/concepts/configuration/
https://kubernetes.io/zh-cn/docs/concepts/configuration/configmap/
https://kubernetes.io/zh-cn/docs/concepts/configuration/secret/
https://kubernetes.io/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/
ConfigMap
在Docker和nginx中,我们一般通过绑定挂载的方式将配置文件挂载到容器里。
在Kubernetes集群中,容器可能被调度到任意节点,配置文件需要能在集群任意节点上访问、分发和更新。
configMap如同名字所说,
- 当主机的配置文件修改,对应容器的配置文件也会修改
- 类似微服务的nacos的配置中心
- 不能超过1MB,不适合保存数据,可用于简单的配置文件映射
- 超出此限制,需要考虑挂载存储卷或者访问文件存储服务。
ConfigMap用法
流程
- 配置configmap
- 使用volumes注入
- 将注入name和容器路径绑定
先创建一个配置文件mysql-pod-ConfigMap.yaml,先把MySQL的容器配置文件复制过来,只修改pod的name即可
然后拿官方文档的示例进行修改,然后加到mysql的容器配置里
apiVersion: v1 kind: ConfigMap metadata: name: mysql-config data: # 这里写conf.d的配置 mysql.cnf: | [mysqld] character-set-server=utf8mb4 collation-server=utf8mb4_general_ci init-connect='SET NAMES utf8mb4' [client] default-character-set=utf8mb4 [mysql] default-character-set=utf8mb4
加到mysql-pod-ConfigMap.yaml里,注意---分割开
apiVersion: v1 kind: Pod metadata: name: mysql-pod-configmap labels: app: mysql spec: containers: - name: mysql image: mysql:5.7 env: - name: MYSQL_ROOT_PASSWORD value: "123456" volumeMounts: - mountPath: /var/lib/mysql #容器中的目录 name: data-volume volumes: - name: data-volume hostPath: # directory location on host path: /home/mysql/data # this field is optional type: DirectoryOrCreate --- apiVersion: v1 kind: ConfigMap metadata: name: mysql-config data: # 这里写conf.d的配置 mysql.cnf: | [mysqld] character-set-server=utf8mb4 collation-server=utf8mb4_general_ci init-connect='SET NAMES utf8mb4' [client] default-character-set=utf8mb4 [mysql] default-character-set=utf8mb4
同样在官方文档看到需要用卷来注入配置文件,
同时在volumeMounts添加绑定,让该配置文件和容器的/etc/mysql/conf.d绑定,这个可以在mysql里看到
apiVersion: v1 kind: Pod metadata: name: mysql-pod-configmap labels: app: mysql spec: containers: - name: mysql image: mysql:5.7 env: - name: MYSQL_ROOT_PASSWORD value: "123456" volumeMounts: - mountPath: /var/lib/mysql name: data-volume - mountPath: /etc/mysql/conf.d name: conf-volume readOnly: true volumes: - name: conf-volume configMap: name: mysql-config - name: data-volume hostPath: # directory location on host path: /home/mysql/data # this field is optional type: DirectoryOrCreate --- apiVersion: v1 kind: ConfigMap metadata: name: mysql-config data: mysql.cnf: | [mysqld] character-set-server=utf8mb4 collation-server=utf8mb4_general_ci init-connect='SET NAMES utf8mb4' [client] default-character-set=utf8mb4 [mysql] default-character-set=utf8mb4
此时就可以重新启动该服务了,在启动前我们先看一下之前的配置
[root@k8s ~]# kubectl exec mysql-pod -it -- /bin/bash root@mysql-pod:/# mysql -uroot -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 4 Server version: 5.7.36 MySQL Community Server (GPL) Copyright (c) 2000, 2021, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show variables like '%char%'; +--------------------------+----------------------------+ | Variable_name | Value | +--------------------------+----------------------------+ | character_set_client | latin1 | | character_set_connection | latin1 | | character_set_database | latin1 | | character_set_filesystem | binary | | character_set_results | latin1 | | character_set_server | latin1 | | character_set_system | utf8 | | character_sets_dir | /usr/share/mysql/charsets/ | +--------------------------+----------------------------+ 8 rows in set (0.00 sec)
重新通过新的配置启动,首先查看我们定义的mysql-config的内容
[root@k8s yaml-demo]# kubectl apply -f mysql-pod-ConfigMap.yaml pod/mysql-pod-configmap created configmap/mysql-config unchanged [root@k8s yaml-demo]# kubectl describe cm mysql-config Name: mysql-config Namespace: default Labels: <none> Annotations: <none> Data ==== mysql.cnf: ---- [mysqld] character-set-server=utf8mb4 collation-server=utf8mb4_general_ci init-connect='SET NAMES utf8mb4' [client] default-character-set=utf8mb4 [mysql] default-character-set=utf8mb4 BinaryData ==== Events: <none>
因为我们通过ConfigMap修改了mysql容器的配置文件,
所以这个配置文件启动的容器mysql编码应该都是utf-8,发现确实如此
[root@k8s yaml-demo]# kubectl get pod NAME READY STATUS RESTARTS AGE mysql-pod-configmap 1/1 Running 0 2m14s [root@k8s yaml-demo]# kubectl exec mysql-pod-configmap -it -- /bin/bash root@mysql-pod-configmap:/# mysql -uroot -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2 Server version: 5.7.36 MySQL Community Server (GPL) Copyright (c) 2000, 2021, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show variables like '%char%'; +--------------------------+----------------------------+ | Variable_name | Value | +--------------------------+----------------------------+ | character_set_client | utf8mb4 | | character_set_connection | utf8mb4 | | character_set_database | utf8mb4 | | character_set_filesystem | binary | | character_set_results | utf8mb4 | | character_set_server | utf8mb4 | | character_set_system | utf8 | | character_sets_dir | /usr/share/mysql/charsets/ | +--------------------------+----------------------------+ 8 rows in set (0.00 sec)
接着我们可以使用配置映射的修改功能,修改mysql-config的内容,然后查看容器的配置是否动态修改了
[root@k8s yaml-demo]# kubectl edit cm mysql-config configmap/mysql-config edited 可以加个注释 # this is a new comment [root@k8s yaml-demo]# kubectl exec mysql-pod-configmap -it -- /bin/bash root@mysql-pod-configmap:/# cat /etc/mysql/conf.d/mysql.cnf [mysqld] character-set-server=utf8mb4 collation-server=utf8mb4_general_ci init-connect='SET NAMES utf8mb4' # this is a new comment [client] default-character-set=utf8mb4 [mysql] default-character-set=utf8mb4
Secret
k8s-secret
k8s-使用kubectl管理secret
k8s-secret-spec
阿里云-应用配置管理
与docker的docker Secrets相对应
- Secret 用于保存机密数据的对象。一般由于保存密码、令牌或密钥等。
- data字段用来存储 base64 编码数,不允许使用明文
- stringData存储未编码的字符串。
- Secret 意味着你不需要在应用程序代码中包含机密数据,减少机密数据(如密码)泄露的风险。
- Secret 可以用作环境变量、命令行参数或者存储卷文件。
Secret用法
还是先复制一份上面的文件命名为mysql-pod-ConfigMap-Secret.yaml
并修改name
因为Secret是存储base64 编码数据,不允许使用明文
所以在配置前先加密mysql密码
# base64加密 echo -n '123456' | base64 # base64解密 echo 'MTIzNDU2' | base64 --decode -n表示忽略回车符 不加-n [root@k8s yaml-demo]# echo '123456' | base64 MTIzNDU2Cg== [root@k8s yaml-demo]# echo 'Cg==' | base64 --decode [root@k8s yaml-demo]# [root@k8s yaml-demo]# echo '1234567' | base64 MTIzNDU2Nwo= [root@k8s yaml-demo]# echo -n '1234567' | base64 MTIzNDU2Nw==
然后通过官方文档来添加Secret配置,只需要修改name和对应的PASSWORD,
USER_NAME这里就不需要加密了,不用Secret保存
apiVersion: v1 kind: Secret metadata: name: mysql-password type: Opaque data: PASSWORD: MTIzNDU2
然后修改容器的mysql设置
用框中内容替换原来mysql密码value的地方
apiVersion: v1 kind: Secret metadata: name: mysql-password type: Opaque data: PASSWORD: MTIzNDU2 --- apiVersion: v1 kind: Pod metadata: name: mysql-pod-secret labels: app: mysql spec: containers: - name: mysql image: mysql:5.7 env: - name: MYSQL_ROOT_PASSWORD # value: "123456" valueFrom: secretKeyRef: name: mysql-password key: PASSWORD optional: false # 此值为默认值;表示secret已经存在了 volumeMounts: - mountPath: /var/lib/mysql #容器中的目录 name: data-volume - mountPath: /etc/mysql/conf.d name: conf-volume readOnly: true volumes: # 注入ConfigMap - name: conf-volume configMap: name: mysql-config - name: data-volume hostPath: # directory location on host path: /home/mysql/data # this field is optional type: DirectoryOrCreate --- apiVersion: v1 kind: ConfigMap metadata: name: mysql-config data: # 这里写conf.d的配置 mysql.cnf: | [mysqld] character-set-server=utf8mb4 collation-server=utf8mb4_general_ci init-connect='SET NAMES utf8mb4' [client] default-character-set=utf8mb4 [mysql] default-character-set=utf8mb4
启动,通过123456登陆成功
[root@k8s yaml-demo]# kubectl apply -f mysql-pod-ConfigMap-Secret.yaml secret/mysql-password created pod/mysql-pod-secret created configmap/mysql-config configured [root@k8s yaml-demo]# kubectl get pod NAME READY STATUS RESTARTS AGE mysql-pod-secret 1/1 Running 0 11s [root@k8s yaml-demo]# kubectl exec mysql-pod-secret -it -- /bin/bash root@mysql-pod-secret:/# mysql -uroot -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 3 Server version: 5.7.36 MySQL Community Server (GPL) Copyright (c) 2000, 2021, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> exit
查看secret配置,发现加密数据是不显示的,但是edit和get加上权限是可以明文查看的
[root@k8s yaml-demo]# kubectl describe secret/mysql-password Name: mysql-password Namespace: default Labels: <none> Annotations: <none> Type: Opaque Data ==== PASSWORD: 6 bytes [root@k8s yaml-demo]# kubectl get secret mysql-password -o yaml apiVersion: v1 data: PASSWORD: MTIzNDU2 kind: Secret metadata: creationTimestamp: "2022-12-14T12:58:57Z" name: mysql-password namespace: default resourceVersion: "24646" uid: f9acb285-812a-4c58-bbc2-048de72980bd type: Opaque [root@k8s yaml-demo]# kubectl edit secret/mysql-password Edit cancelled, no changes made.
注意:环境变量使用secret,
- 当secret使用edit修改后,环境变量不会自动更改,千万不要使用这个,会导致密码永远无法改变
- 直接通过yaml重启也不行
需要在删除原pod后,上传新的yaml,然后启动新pod
如果在secret和configmap还启动的情况下修改yaml,k8s会在主机生成一种yaml,
导致密码一直不变,
几个注意事项
- 直接删除节点,你创建的secret和configmap是还在的
- 在secret、pod启动的时候,不要修改yaml,不要edit修改secret
[root@k8s yaml-demo]# kubectl delete pod mysql-pod-secret pod "mysql-pod-secret" deleted [root@k8s yaml-demo]# kubectl get secret NAME TYPE DATA AGE mysql-password Opaque 1 7m1s [root@k8s yaml-demo]# kubectl get configmap NAME DATA AGE kube-root-ca.crt 1 6d1h mysql-config 1 8m7s
先说正确的流程,删除后修改yaml,然后启动
kubectl delete pod mysql-pod-secret kubectl delete secret mysql-password kubectl delete cm mysql-config vim mysql-pod-ConfigMap-Secret.yaml kubectl apply -f mysql-pod-ConfigMap-Secret.yaml 这时启动,一般会出现这个,那是容器在下载对应的镜像,和第一次启动容器的情况一致 [root@k8s yaml]# kubectl exec mysql-pod-secret -it -- /bin/bash error: unable to upgrade connection: container not found ("mysql")
如果想使用replace替换,需要是新建的yaml,不能直接修改原yaml
kubectl apply -f mysql-pod-ConfigMap-Secret.yaml vim mysql-pod-ConfigMap-Secrets.yaml kubectl replace --force -f mysql-pod-ConfigMap-Secrets.yaml
失败案例一--直接edit---导致secret永远无法修改
修改mysql密码123456变为1234567,然后edit修改,发现没有动态修改,
这种情况与configmap一样yaml文件也不会被修改
[root@k8s yaml-demo]# echo -n '1234567' | base64 MTIzNDU2Nw== [root@k8s yaml-demo]# kubectl edit secret/mysql-password secret/mysql-password edited PASSWORD: MTIzNDU2 改为 PASSWORD: MTIzNDU2Nw== [root@k8s yaml-demo]# kubectl exec mysql-pod-secret -it -- /bin/bash root@mysql-pod-secret:/# mysql -uroot -p123456 mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 5 Server version: 5.7.36 MySQL Community Server (GPL) Copyright (c) 2000, 2021, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
失败案例二-修改原yaml、replace重启
不要在第一种失败案例的基础上尝试,因为第一种失败案例导致密码已经无法修改了
我们重启pod,因为我们是yaml启动,
所以修改yaml后,直接使用 kubectl replace --force -f xxx.yaml 来强制替换Pod 的 API 对象,从而达到重启的目的。
这里如果是在原yaml修改的会导致密码直接变成root了,
如果是用新建的yaml启动会成功修改密码
发现mysql密码只能用root登录了
[root@k8s yaml-demo]# kubectl replace --force -f mysql-pod-ConfigMap-Secret.yaml secret "mysql-password" deleted pod "mysql-pod-secret" deleted configmap "mysql-config" deleted secret/mysql-password replaced pod/mysql-pod-secret replaced configmap/mysql-config replaced [root@k8s yaml-demo]# kubectl exec mysql-pod-secret -it -- /bin/bash root@mysql-pod-secret:/# mysql -uroot -p123456 mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2 Server version: 5.7.36 MySQL Community Server (GPL) Copyright (c) 2000, 2021, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
成功案例一-删除、修改、启动
应该先删除,然后修改并启动。
[root@k8s yaml-demo]# kubectl delete pod mysql-pod-secret pod "mysql-pod-secret" deleted [root@k8s yaml-demo]# kubectl delete secret mysql-password secret "mysql-password" deleted [root@k8s yaml-demo]# kubectl delete cm mysql-config configmap "mysql-config" deleted [root@k8s yaml-demo]# kubectl apply -f mysql-pod-ConfigMap-Secret.yaml secret/mysql-password created pod/mysql-pod-secret created configmap/mysql-config created [root@k8s yaml-demo]# kubectl exec mysql-pod-secret -it -- /bin/bash error: unable to upgrade connection: container not found ("mysql") root@mysql-pod-secret:/# mysql -uroot -p1234567 mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 4 Server version: 5.7.36 MySQL Community Server (GPL) Copyright (c) 2000, 2021, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
成功案例二-新建、替换
新建一个yaml文件,mysql-pod-ConfigMap-Secrets.yaml,只修改密码root变为123456
[root@k8s yaml]# kubectl apply -f mysql-pod-ConfigMap-Secret.yaml secret/mysql-password created pod/mysql-pod-secret created configmap/mysql-config created [root@k8s yaml]# kubectl exec mysql-pod-secret -it -- /bin/bash root@mysql-pod-secret:/# mysql -uroot -proot mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2 Server version: 5.7.36 MySQL Community Server (GPL) Copyright (c) 2000, 2021, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> exit; Bye root@mysql-pod-secret:/# exit; exit [root@k8s yaml]# kubectl replace --force -f mysql-pod-ConfigMap-Secrets.yaml secret "mysql-password" deleted pod "mysql-pod-secret" deleted configmap "mysql-config" deleted secret/mysql-password replaced pod/mysql-pod-secret replaced configmap/mysql-config replaced [root@k8s yaml]# kubectl exec mysql-pod-secret -it -- /bin/bash root@mysql-pod-secret:/# mysql -uroot -proot mysql: [Warning] Using a password on the command line interface can be insecure. ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES) root@mysql-pod-secret:/# mysql -uroot -p123456 mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 3 Server version: 5.7.36 MySQL Community Server (GPL) Copyright (c) 2000, 2021, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> exit; Bye root@mysql-pod-secret:/# exit; exit
