热更新secret:
更改上面的secret清单文件,增加一个password5,然后apply secret文件,此时nginx这个pod不需要更新就可以看到多出一个password5文件
[root@k8s-master wd]# cat test-secret.yaml apiVersion: v1 data: password1: TXlQQHNzMTIz password2: MTIzNDU2 password3: NDU2Nzg5 stringData: password4: qwerty password5: 324dfe3432423 kind: Secret metadata: name: mysql-root-password #更改secret文件 [root@k8s-master wd]# k apply -f test-secret.yaml secret/mysql-root-password configured
root@nginx-85cf9f64ff-tljmd:/# ls -al /opt/ total 0 drwxrwxrwt 3 root root 180 Oct 7 12:36 . drwxr-xr-x 1 root root 51 Oct 7 10:16 .. drwxr-xr-x 2 root root 140 Oct 7 12:36 ..2022_10_07_12_36_50.416957405 lrwxrwxrwx 1 root root 31 Oct 7 12:36 ..data -> ..2022_10_07_12_36_50.416957405 lrwxrwxrwx 1 root root 16 Oct 7 10:16 password1 -> ..data/password1 lrwxrwxrwx 1 root root 16 Oct 7 10:16 password2 -> ..data/password2 lrwxrwxrwx 1 root root 16 Oct 7 10:16 password3 -> ..data/password3 lrwxrwxrwx 1 root root 16 Oct 7 12:00 password4 -> ..data/password4 lrwxrwxrwx 1 root root 16 Oct 7 12:36 password5 -> ..data/password5
2)env环境变量形式挂载
修改上面的那个nginx部署清单文件:
apiVersion: apps/v1 kind: Deployment metadata: creationTimestamp: null labels: app: nginx name: nginx spec: replicas: 1 selector: matchLabels: app: nginx template: metadata: creationTimestamp: null labels: app: nginx spec: containers: - image: nginx:1.20 name: nginx env: - name: PASSWORD1 valueFrom: secretKeyRef: name: mysql-root-password key: password1 - name: PASSWORD5 valueFrom: secretKeyRef: name: mysql-root-password key: password5
此时,重新应用这个部署文件后,pod的名称会发生改变,因此,重新查询出此pod的名字,并进入pod打印变量password1的值:
[root@k8s-master wd]# k get po NAME READY STATUS RESTARTS AGE nginx-5cd897998-rm4kv 1/1 Running 0 87s [root@k8s-master wd]# k exec -it nginx-5cd897998-rm4kv -- /bin/bash root@nginx-5cd897998-rm4kv:/# echo $PASSWORD1 MyP@ss123
OK,可以看到环境变量在pod内生效了,打印出了正确的值,那么,stringDate能否正确打印呢,答案是肯定的,但,此时secret不能热更新了,也就是说环境变量形式的引用secret,secret改变不会自动将它的值作为变量映射到pod内。
[root@k8s-master wd]# k exec -it nginx-cb84ddc9-lvz4k -- /bin/bash root@nginx-cb84ddc9-lvz4k:/# echo $PASSWORD5 324dfe3432423
3)docker私有仓库的专有secret引用
第一种方式:
假设本地的docker仓库已经安装完毕并调试好了,不管是habore还是官方镜像搭建的私人仓库都有配置文件,此文件假定名字是config.json
[root@ip-172-31-10-110 ~]# base64 -w 0 ~/.docker/config.json ewoJImF1dGhjNWdlpHVnVaenB5Wld4aFFFeFdUa2xCVGtBeU1ERTMiCgkJfSwKCQkidXJlZy5rOHMueXVud2VpLnJlbGEubWUiOiB7CgkJCSJhdXRoIjogIloyRnZaM1Z2WkdWdVp6cHlaV3hoUUV4V1RrbEJUa0F5TURFMyIKCQl9Cgl9LAoJIkh0dHBIZWFkZXJzIjogewoJCSJVc2VyLUFnZW50IjogIkRvY2tlci1DbGllbnQvMTguMDYuMS1jZSAobGludXgpIgoJfQp9
创建secret:
### vim secret.yaml apiVersion: v1 kind: Secret metadata: name: regsecret namespace: default data: .dockerconfigjson: ewoJImF1dGhjNWdlpHVnVaenB5Wld4aFFFeFdUa2xCVGtBeU1ERTMiCgkJfSwKCQkidXJlZy5rOHMueXVud2VpLnJlbGEubWUiOiB7CgkJCSJhdXRoIjogIloyRnZaM1Z2WkdWdVp6cHlaV3hoUUV4V1RrbEJUa0F5TURFMyIKCQl9Cgl9LAoJIkh0dHBIZWFkZXJzIjogewoJCSJVc2VyLUFnZW50IjogIkRvY2tlci1DbGllbnQvMTguMDYuMS1jZSAobGludXgpIgoJfQp9 type: kubernetes.io/dockerconfigjson
pod 拉取镜像的时候引用此secret:
[root@ip-172-31-10-110 ~]# vim test.yaml apiVersion: extensions/v1beta1 kind: Deployment metadata: name: dentestreplce spec: replicas: 1 template: metadata: labels: name: dentestreplace spec: containers: - name: dentestreplace imagePullPolicy: Always image: ureg.k8s.test.com/rela_dev/logreport:latest imagePullSecrets: - name: regsecret
第二种方式:
使用命令创建Secret
kubectl create secret docker-registry regsecret --docker-server=ureg.k8s.test.com --docker-username=lvnian --docker-password=LVNIAN@2017 --docker-email=lvnian@rela.me
regsecret: 指定密钥的键名称, 可自行定义 --docker-server: 指定docker仓库地址 --docker-username: 指定docker仓库账号 --docker-password: 指定docker仓库密码 --docker-email: 指定邮件地址 -n : 命名空间,在那个命名空间创建,就只能在那个命名空间使用这个secret
命令行生成的secret和上面文件生成的secret引用都是一样的,没什么可说的了。
