kubernetes之secret

secret 作用： 保管私密数据

secret使用场景

1. 创建pod时候, 为pod指定serviceaccount来自动使用secret 
2. 通过挂载该secret到pod来使用它
3. 下载docker镜像, 通过指定pod的spec.ImagePullSecrets来引用
4. 生成变量

通过挂载该secret到pod来使用它, pod容器里生成文件

1. 创建secret

方式一：命令方式创建：kubectl create secret generic myscret --from-literal=username=test --from-literal=password=test -o yaml --dry-run 
方式二： 文件方式：
apiVersion: v1
data:
  password: dGVzdA==
  username: dGVzdA==
kind: Secret
metadata:
  name: myscret

注意： 密码使用base64方式进行加密, 解密方式：echo dGVzdA== |base64 -d

2. 挂载

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  namespace: default 
  labels:
    app: nginx
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 1 
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.12
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
        volumeMounts:
        - name: foo
          mountPath: "/usr/share/nginx/html"
      volumes:
      - name: foo
        secret:
          secretName: myscret

kubectl exec nginx-deployment-68d7ffc4fd-lhwmv cat /usr/share/nginx/html/username
kubectl exec nginx-deployment-68d7ffc4fd-lhwmv cat /usr/share/nginx/html/password 
#会在/usr/share/nginx/html生成文件

生成变量

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  namespace: default 
  labels:
    app: nginx
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 1 
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.12
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
        env:
        - name: Nginx_username
          valueFrom:
            secretKeyRef:
              name: myscret
              key: username 
        - name: Nginx_password
          valueFrom:
            secretKeyRef:
              name: myscret
              key: password

docker pull image

#kubectl create secret docker-registry myaliyun --docker-server registry.cn-hangzhou.aliyuncs.com --docker-username ${your_username} --docker-password ${your_password} --docker-email ${your_email}  -o yaml 

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  namespace: default 
  labels:
    app: nginx
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 1 
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.12
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
      imagePullSecrets:
      - name: myaliyun