• k8s之Configmap与Secret


    ConfigMap:k8s标准资源,将配置文件做成k8s资源,使其它资源可加载其中配置
    Secret:实现加密功能的安全配置文件。由多个key:val中组成

    创建configmap资源,可直接使用kubectl创建并且传值

    kubectl create configmap filebeat-cfg -n config --from-literal=redis_host="redis.default.svc.cluster.local" --from-literal=log_level="Info"

    --from-literal=log_level="Info" 此字段表示为创建一个key为log_level并且为这个可以赋值为info
    而后创建pod,并引用configmap资源中的key

    apiVersion: v1
    kind: Pod
    metadata: 
      name: pod-cfg-demo
      namespace : config
    spec:
      containers:
        name: filebeat
        image: ikubernetes/filebeat:5.6.5-alp ine
        env:#引用环境变量值
        - name: REDIS_ HOST #名称,REDIS_HOST为容器内部的变量名称
          valueFrom:#引用其他资源传递变量,
            configMapKeyRef :#表示引用configmap资源
              name: filebeat-cfg #configmap名称,为刚才创建的configmap资源
              key: redis_host#key名称
        - name: LOG_LEUEL #同上也为容器内的变量名称
            valueFrom:
              configMapKeyRef :
                name: filebeat-cfg 
                key: log_level
    

    image.png

    连接至容器内部查看环境变量传递成功了,但是我们修改configmap中key 的值不会生效,除非重建pod

    基于存储卷引用configmap
    创建2个配置文件为存储卷提供配置
    image.png
    定义好configmap
    kubectl create configmap nginx-cfg --from-file=./server1.conf --from-file=server-2./server2.conf -n config
    --from-file=./server1.conf #利用文件来传递参数,没有给key名称默认为文件名称为key,文件内容为value
    --from-file=server-2./server2.conf -n config#也可以手动添加key名。并指定文件内容为value,且目录为相对路径不能为绝对路径

    apiVersion: v1
    kind: Pod
    metadata:
      name: myapp-pod
      namespace: config
    spec:
      containers: 
      - name: myapp
        image: ikubernetes/ myapp:v1
        volumeMounts : #定义容器使用存储卷挂载
        - name: config#使用存储卷的名称
          mountPath: /etc/nginx/conf.d/
    volumes:#定义存储卷
    - name: config#存储卷名称
      configMap:#存储卷类型:这里为configmap而不是nfs其他的文件系统,可以指定configmap资源为存储卷
        name: nginx-cfg#configmap名称,这里为我们刚才创建的cm名称
        items :#使用cm中的key
        - key: server1.conf #key名称
          path: server-first.conf #表示映射为文件时文件名是什么
        - key: server-2
          path: server-second.conf
    

    kubectl edit cm nginx-cfg -n config#在线修改时会自动同步至容器内部
    im
    image.png

    secret资源。经过base64编码后的配置中心,用于传递敏感信息的值
    secret类型:
    tls类型:专用ssl。tls格式的证书和私钥打包进secret中。不管原来文件叫什么,通通进行统一,证书一定会映射为叫tls.crt。私钥为tls.key
    generic:非证书认证时使用的普通的敏感信息类型
    docker-registry:用于连接dockerhub中时使用的账户认证信息类型

    kubectl create secret generic mysql-root-password -n config --from-literal=password=centos #创建通用型secret资源

    创建pod使用secret中的key传递给容器

    apiVersion: v1
    kind: Pod
    metadata:
      name: mysql
      namespace: config
    spec:
      containers:
      - name: mysql
        image: mysql:5.6
        env: #容器内部定义的变量
        - name: MYSQL_ROOT_PASSWORD#此名称为容器内部定义的变量名,不是随便给的。需要传递参数才能启动mysql容器
          valueFrom:  #定义值
            secretKeyRef: #值类型为secret
              key: password #key名称
              name: mysql-root-password #secret的名称
    

    image.png
    交互式连接mysql可直接使用传递的参数登陆mysql

    kubectl create secret tls mysql-cert --cert=./myapp.crt --key=./myapp.key -n config#创证书类型secret配置,是其他pod能将此secret当作证书认证

    apiVersion: v1
    kind: Pod
    metadata:
      name: myapp-pod-tls
      namespace: config
    spec:
      containers:
      - name: myapp
        image: ikubernetes/myapp:v1
        volumeMounts:
        - name: config
          mountPath: /etc/nginx/conf.d/
        - name: tls
          mountPath: /etc/nginx/certs/#容器内部的挂载路径
      volumes:#定义存储卷类型
      - name: config 存储卷名称
        configMap:  #存储卷类型configmap
         name: nginx-cfg
         items:
         - key: server1.conf
           path: server-first.conf
         - key: server-2
           path: server-second.conf
      - name: tls
        secret: #此存储卷类型为secret
          secretName: mysql-cert #secret的名称,刚才我创建为mysql-cert
          items: #定义key
          - key: tls.crt #注意原key和crt为什么名称。在secret中定义都为tls.key,tls,crt
            path: myapp.crt #在容器中名称相对路径为mountPath: /etc/nginx/conf.d/
          - key: tls.key
            path: myapp.key
            mode: 0600 #定义权限
    
    

    image.png

    StatefulSet:管理有状态应用,但对于扩缩容需要自己写代码操作,statefulset只负责提供给pod一个单一的标识,存储设备。
    operator:使用不同应用程序,对不同的应用程序有程序的所有运维管理操作,不同的应用程序有不同的operator,operator运行为k8s集群中的pod,用于控制有状态的集群应用

    定义statefulset:

    先创建好几个pv,使用静态创建
    apiVersion: v1
    kind: PersistentVolume
    metadata:
      name: pv-nfs-v0
      labels:
        storage: nfs
    spec:
      accessModes: ["ReadWriteOnce ","ReadwriteMany","ReadOnlyMany"]
      capacity:
        storage: 1Gi
      volumeMode: Filesystem
      persistentvolumeReclaimPolicy: Retain
      nfs:
        server: 192 .168.1.199
        path: /vols/v0
    ---
    
    apiVersion: v1
    kind: PersistentVolume
    metadata:
      name: pv-nfs-v1
      labels:
        storage: nfs
    spec:
      accessModes: ["ReadWriteOnce ","ReadwriteMany","ReadOnlyMany"]
      capacity:
        storage: 5Gi
      volumeMode: Filesystem
      persistentvolumeReclaimPolicy: Retain
      nfs:
        server: 192 .168.1.199
        path: /vols/v1
    ---
    apiVersion: v1
    kind: PersistentVolume
    metadata:
      name: pv-nfs-v2
      labels:
        storage: nfs
    spec:
      accessModes: ["ReadWriteOnce ","ReadwriteMany","ReadOnlyMany"]
      capacity:
        storage: 5Gi
      volumeMode: Filesystem
      persistentvolumeReclaimPolicy: Retain
      nfs:
        server: 192 .168.1.199
        path: /vols/v2
    ---
    apiVersion: v1
    kind: PersistentVolume
    metadata:
      name: pv-nfs-v3
      labels:
        storage: nfs
    spec:
      accessModes: ["ReadWriteOnce ","ReadwriteMany","ReadOnlyMany"]
      capacity:
        storage: 5Gi
      volumeMode: Filesystem
      persistentvolumeReclaimPolicy: Retain
      nfs:
        server: 192 .168.1.199
        path: /vols/v3
    ---
    apiVersion: v1
    kind: PersistentVolume
    metadata:
      name: pv-nfs-v4
      labels:
        storage: nfs
    spec:
      accessModes: ["ReadWriteOnce ","ReadwriteMany","ReadOnlyMany"]
      capacity:
        storage: 5Gi
      volumeMode: Filesystem
      persistentvolumeReclaimPolicy: Retain
      nfs:
        server: 192 .168.1.199
        path: /vols/v4
    ---
    apiVersion: v1
    kind: PersistentVolume
    metadata:
      name: pv-nfs-v5
      labels:
        storage: nfs
    spec:
      accessModes: ["ReadWriteOnce ","ReadwriteMany","ReadOnlyMany"]
      capacity:
        storage: 5Gi
      volumeMode: Filesystem
      persistentvolumeReclaimPolicy: Retain
      nfs:
        server: 192 .168.1.199
        path: /vols/v5
    #而后创建statefulset资源,绑定使用pv
    
    

    定义好statefulset

    apiVersion: v1
    kind: Service #定义好前端service
    metadata:
      name: myapp-sts-svc
      namespace: sts
      labels:
        app: myapp
    spec:
      ports:
      - port: 80
        name: web
      clusterIP: None
      selector:
        app: myapp-pod
        containers: sts
    ---
    apiVersion: apps/v1
    kind: StatefulSet
    metadata:
      name: statefulset-demo
      namespace: sts
    spec:
      selector:
        matchLabels:
          app: myapp-pod
          containers: sts
      serviceName: "myapp-sts-svc"
      replicas: 2 #pod副本数量
      template:#pod模板
        metadata:
          labels:
            app: myapp-pod
            containers: sts
        spec:
          terminationGracePeriodSeconds: 10#删除pod时长
          containers:
          - name: myapp
            image: ikubernetes/myapp:v1
            ports:
            - containerPort: 80
              name: web
            volumeMounts:
            - name: myapp-pvc
              mountPath: /usr/share/nginx/html
      volumeClaimTemplates:#定义好pvc资源模板
      - metadata:
          name: myapp-pvc #pvc名称
          namespace: sts #所属名称空间
        spec:
          accessModes: [ "ReadWriteOnce" ] #访问模型为单路读写
          resources: #请求占用多少资源
            requests:
              storage: 2Gi
    
  • 相关阅读:
    ​Docker 数据卷的管理及自动构建docker镜像
    写代码有这16个好习惯,可以减少80%非业务的bug
    启动Docker“Got permission denied while trying to connect to the Docker daemon socket“问题(亲测可用)
    Docker从入门到干活,看这一篇足矣 [建议收藏]
    docker技术入门与精通(2020.12笔记总结)
    MySQL相关 死锁的发生和避免
    使用docker运行zabbixserver
    Cloudflare 是谁?
    扛得住的MySQL数据库架构
    好未来第一届PHP开源技术大会资料分享
  • 原文地址:https://www.cnblogs.com/woaiyitiaochai/p/12030084.html
Copyright © 2020-2023  润新知