• kubernetes之十一: Secret 使用

    Secret 使用类似于 ConfigMap,支持两种形式的使用:

    • 将 Secret 作为环境变量暴露给容器进程使用。
    • 将 Secret 通过volume 数据卷提供给容器进程使用。

    为啥还要 Secret?

    Secret 顾名思义,是用于存储加密数据的

    [root@master01 template]# kubectl create secret
Create a secret using specified subcommand.

Available Commands:
  docker-registry Create a secret for use with a Docker registry
  generic         Create a secret from a local file, directory or literal value
  tls             Create a TLS secret

     

    案例1: 创建通用的secret

    kubectl create secret generic nginx-ssl --from-file=ca.key
--from-file=ca.cert

    案例2: 创建docker-registry

    kubectl create secret docker-registry my-secret --docker-server=192.168.31.112  --docker-username=admin  --docker-password=123456 
    --docker-email=it@aa.com -n test

     

    案例3: 创建tls的secret

    openssl genrsa -out rest.key 2048

    openssl req -new -x509 -key rest.key -out rest.crt -subj /C=CN/ST=Beijing/L=Biejing/O=DevOpes/CN=restapi.aa.com

kubectl create secret tls --cert=rest.crt --key=rest.key

      

    挂载方式

    1)通过环境变量的方式

    apiVersion: v1
kind: Pod
metadata:
  name: secret1-pod
spec:
  containers:
  - name: secret1
    image: busybox
    command: [ "/bin/sh", "-c", "env" ]
    env:
    - name: USERNAME
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: username

    - name: PASSWORD
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: password

     

    [root@k8s-master01 ~]# kubectl create secret generic shibo-secret --from-file=./username.txt --from-file=./password.txt    



apiVersion: v1
kind: Pod
metadata:
  name: secret-env-pod
spec:
  containers:
  - name: mycontainer
    image: redis
    env:
      - name: SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: shibo-secret
            key: username
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: shibo-secret
            key: password
  restartPolicy: Never

      

     

    2)通过volumemount挂载

       volumeMounts:
      - mountPath: /home/nginx/nginx/conf/cert/
        name: nginx-ssl
volumes:
   - name: nginx-ssl
     secret:
        secretName: nginx-ssl

    apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mypod
    image: redis
    volumeMounts:
    - name: data
      mountPath: "/etc/data"
      readOnly: true
  volumes:
  - name: data
    secret:
      secretName: shibo-secret
      items:
      - key: username
        path: my-group/my-username


需要注意,在这种情况下:
username 存储在 /etc/data/my-group/my-username中

      

      

     
  • 相关阅读:
    JSON对象和字符串之间的相互转换
    php小数取整的方法
    Vim之Nerd Tree杂草帮助
    PHP获取汉字拼音首字母
    chmod 变更文件或目录的权限
    grep
    tar
    Linux下socket编程 多线程 进程超时阻塞、卡死问题定位
    一些Lambda表达式的学习
    读高性能MySQL的笔记
  • 原文地址:https://www.cnblogs.com/louis2008/p/kubernetes-secret.html
Copyright © 2020-2023  润新知