Kerbernetes使用ConfigMap资源配置非铭感信息

　　　　　　　　　Kerbernetes使用ConfigMap资源配置非铭感信息

　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　作者：尹正杰

版权声明：原创作品，谢绝转载！否则将追究法律责任。 

一.配置应用程序常用方法

　　配置应用程序是很常见的应用程序，常用的配置途径是使用配置文件或命令行选项;但容器化应用是基于镜像文件启动，其配置方式有别于此两种途径。

　　配置容器化应用程序常用的方法有以下几种:
　　　　(1)将设置好的配置文件硬编码进镜像中;
　　　　(2)基于环境变量:
　　　　　　Docker环境变量:Dockerfile中定义。
　　　　　　Kubernetes环境变量:资源配置文件中定义。
　　　　(3)使用Kubernetes的ConfigMap和Secret实现集中式配置(配置中心)。

二.基于环境变量引用ConfigMap实现配置容器案例(弊端:当ConfigMap文件的内容发生改变时已经创建的容器不会实时更新配置)

1>.使用命令行创建configmap对象

[root@master200.yinzhengjie.org.cn ~]# kubectl get namespace
NAME                 STATUS   AGE
default              Active   5d11h
ingress-nginx        Active   41h
kube-node-lease      Active   5d11h
kube-public          Active   5d11h
kube-system          Active   5d11h
myservice            Active   46h
testing              Active   2d15h
testing2             Active   2d5h
yinzhengjie-eshop    Active   33h
yinzhengjie-ns       Active   36h
yinzhengjie-volume   Active   24h
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# kubectl create namespace yinzhengjie-config
namespace/yinzhengjie-config created
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# kubectl get namespace
NAME                 STATUS   AGE
default              Active   5d11h
ingress-nginx        Active   41h
kube-node-lease      Active   5d11h
kube-public          Active   5d11h
kube-system          Active   5d11h
myservice            Active   46h
testing              Active   2d15h
testing2             Active   2d5h
yinzhengjie-config   Active   2s
yinzhengjie-eshop    Active   33h
yinzhengjie-ns       Active   36h
yinzhengjie-volume   Active   24h
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# 

[root@master200.yinzhengjie.org.cn ~]# kubectl get namespace
NAME                 STATUS   AGE
default              Active   5d11h
ingress-nginx        Active   41h
kube-node-lease      Active   5d11h
kube-public          Active   5d11h
kube-system          Active   5d11h
myservice            Active   46h
testing              Active   2d15h
testing2             Active   2d5h
yinzhengjie-config   Active   50s
yinzhengjie-eshop    Active   33h
yinzhengjie-ns       Active   36h
yinzhengjie-volume   Active   24h
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# kubectl create configmap filebeat-cfg -n yinzhengjie-config --from-literal=redis_hostname="redis.default.service.cluster.local" --from-literal=log_level="Info"
configmap/filebeat-cfg created
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# kubectl get configmap -n yinzhengjie-config
NAME           DATA   AGE
filebeat-cfg   2      28s
[root@master200.yinzhengjie.org.cn ~]# 

[root@master200.yinzhengjie.org.cn ~]# kubectl get configmap -n yinzhengjie-config
NAME           DATA   AGE
filebeat-cfg   2      28s
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# kubectl get configmap -n yinzhengjie-config -o yaml
apiVersion: v1
items:
- apiVersion: v1
  data:
    log_level: Info
    redis_hostname: redis.default.service.cluster.local
  kind: ConfigMap
  metadata:
    creationTimestamp: "2020-02-09T23:39:57Z"
    name: filebeat-cfg
    namespace: yinzhengjie-config
    resourceVersion: "501375"
    selfLink: /api/v1/namespaces/yinzhengjie-config/configmaps/filebeat-cfg
    uid: a90c2a63-53af-4e2a-bb65-c1c378ef017c
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""
[root@master200.yinzhengjie.org.cn ~]# 

2>.创建Pod并配置咱们自定义的configMap资源

[root@master200.yinzhengjie.org.cn ~]# vim /yinzhengjie/data/k8s/manifests/basic/configmap/pod-cfg.yaml
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/basic/configmap/pod-cfg.yaml
apiVersion: v1
kind: Pod
metadata:
  name: pod-cfg-dome
  namespace: yinzhengjie-config
spec:
  containers:
  - name: filebeat
    image: ikubernetes/filebeat:5.6.5-alpine
    env:
    - name: REDIS_HOST
      valueFrom:
        configMapKeyRef:
          name: filebeat-cfg
          key: redis_hostname
    - name: LOG_LEVEL
      valueFrom:
        configMapKeyRef:
          name: filebeat-cfg
          key: log_level
[root@master200.yinzhengjie.org.cn ~]# 

[root@master200.yinzhengjie.org.cn ~]# kubectl apply -f /yinzhengjie/data/k8s/manifests/basic/configmap/pod-cfg.yaml
pod/pod-cfg-dome created
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# kubectl get pods -n yinzhengjie-config
NAME           READY   STATUS    RESTARTS   AGE
pod-cfg-dome   1/1     Running   0          14s
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# 

3>.验证传值是否成功

[root@master200.yinzhengjie.org.cn ~]# kubectl get pods -n yinzhengjie-config
NAME           READY   STATUS    RESTARTS   AGE
pod-cfg-dome   1/1     Running   0          6m43s
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# kubectl exec -it pod-cfg-dome -n yinzhengjie-config -- /bin/sh
/ # 
/ # printenv
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_SERVICE_PORT=443
LOG_LEVEL=Info
HOSTNAME=pod-cfg-dome
SHLVL=1
HOME=/root
TERM=xterm
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_SERVICE_PORT_HTTPS=443
PWD=/
KUBERNETES_SERVICE_HOST=10.96.0.1
REDIS_HOST=redis.default.service.cluster.local
FILEBEAT_VERSION=5.6.5
/ # 
/ # exit
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# kubectl get configmap -n yinzhengjie-config -o yaml
apiVersion: v1
items:
- apiVersion: v1
  data:
    log_level: Info
    redis_hostname: redis.default.service.cluster.local
  kind: ConfigMap
  metadata:
    creationTimestamp: "2020-02-09T23:39:57Z"
    name: filebeat-cfg
    namespace: yinzhengjie-config
    resourceVersion: "501375"
    selfLink: /api/v1/namespaces/yinzhengjie-config/configmaps/filebeat-cfg
    uid: a90c2a63-53af-4e2a-bb65-c1c378ef017c
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# 

4>.Pod运行之后再次修改configmap文件Pod中容器对应的变量是不会发生改变的哟

[root@master200.yinzhengjie.org.cn ~]# kubectl get cm -n yinzhengjie-config -o yaml
apiVersion: v1
items:
- apiVersion: v1
  data:
    log_level: Info
    redis_hostname: redis.default.service.cluster.local
  kind: ConfigMap
  metadata:
    creationTimestamp: "2020-02-09T23:39:57Z"
    name: filebeat-cfg
    namespace: yinzhengjie-config
    resourceVersion: "501375"
    selfLink: /api/v1/namespaces/yinzhengjie-config/configmaps/filebeat-cfg
    uid: a90c2a63-53af-4e2a-bb65-c1c378ef017c
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# kubectl edit cm filebeat-cfg -n yinzhengjie-config
configmap/filebeat-cfg edited
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# kubectl get cm -n yinzhengjie-config -o yaml
apiVersion: v1
items:
- apiVersion: v1
  data:
    log_level: Notice
    redis_hostname: redis.default.service.cluster.local
  kind: ConfigMap
  metadata:
    creationTimestamp: "2020-02-09T23:39:57Z"
    name: filebeat-cfg
    namespace: yinzhengjie-config
    resourceVersion: "505489"
    selfLink: /api/v1/namespaces/yinzhengjie-config/configmaps/filebeat-cfg
    uid: a90c2a63-53af-4e2a-bb65-c1c378ef017c
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# 

[root@master200.yinzhengjie.org.cn ~]# kubectl get pods -n yinzhengjie-config
NAME           READY   STATUS    RESTARTS   AGE
pod-cfg-dome   1/1     Running   0          14m
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# kubectl get cm -n yinzhengjie-config -o yaml
apiVersion: v1
items:
- apiVersion: v1
  data:
    log_level: Notice
    redis_hostname: redis.default.service.cluster.local
  kind: ConfigMap
  metadata:
    creationTimestamp: "2020-02-09T23:39:57Z"
    name: filebeat-cfg
    namespace: yinzhengjie-config
    resourceVersion: "505489"
    selfLink: /api/v1/namespaces/yinzhengjie-config/configmaps/filebeat-cfg
    uid: a90c2a63-53af-4e2a-bb65-c1c378ef017c
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# kubectl exec -it pod-cfg-dome -n yinzhengjie-config -- /bin/sh
/ # 
/ # printenv
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_SERVICE_PORT=443
LOG_LEVEL=Info
HOSTNAME=pod-cfg-dome
SHLVL=1
HOME=/root
TERM=xterm
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_SERVICE_PORT_HTTPS=443
PWD=/
KUBERNETES_SERVICE_HOST=10.96.0.1
REDIS_HOST=redis.default.service.cluster.local
FILEBEAT_VERSION=5.6.5
/ # 
/ # exit
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# 

 

三.基于配置文件引用ConfigMap实现配置容器案例(此时ConfigMap类似充当了一个配置中心，即凡是使用该ConfigMap资源的Pod均会自动读取同一份配置文件)

1>.创建nginx的配置文件

[root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/basic/configmap/server01.conf 
server {
    server_name master.yinzhengjie.org.cn;
    listen 80;
    location / {
        root "/yinzhengjie/master/html/";
    }
}
[root@master200.yinzhengjie.org.cn ~]# 

[root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/basic/configmap/server02.conf 
server {
    server_name master200.yinzhengjie.org.cn;
    listen 80;
    location / {
        root "/yinzhengjie/master200/html/";
    }
}
[root@master200.yinzhengjie.org.cn ~]# 

2>.使用命令行方式创建ConfigMap资源

[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/basic/configmap/server01.conf 
server {
    server_name master.yinzhengjie.org.cn;
    listen 80;
    location / {
        root "/yinzhengjie/master/html/";
    }
}
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/basic/configmap/server02.conf 
server {
    server_name master200.yinzhengjie.org.cn;
    listen 80;
    location / {
        root "/yinzhengjie/master200/html/";
    }
}
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# kubectl get cm -n yinzhengjie-config
NAME           DATA   AGE
filebeat-cfg   2      83m
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# kubectl create configmap nginx-cfg --from-file=/yinzhengjie/data/k8s/manifests/basic/configmap/server01.conf --from-file=server-second.conf=/yinzhengjie/data/k8s/manifests/basic/configmap/server02.conf -n yinzhengjie-config
configmap/nginx-cfg created
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# kubectl get cm -n yinzhengjie-config
NAME           DATA   AGE
filebeat-cfg   2      83m
nginx-cfg      2      2s
[root@master200.yinzhengjie.org.cn ~]# 

[root@master200.yinzhengjie.org.cn ~]# kubectl get cm nginx-cfg -n yinzhengjie-config -o yaml
apiVersion: v1
data:
  server-second.conf: "server {
	server_name master200.yinzhengjie.org.cn;
	listen
    80;
	location / {
		root "/yinzhengjie/master200/html/";
	}
}
"
  server01.conf: "server {
	server_name master.yinzhengjie.org.cn;
	listen 80;
	location
    / {
		root "/yinzhengjie/master/html/";
	}
}
"
kind: ConfigMap
metadata:
  creationTimestamp: "2020-02-10T01:03:22Z"
  name: nginx-cfg
  namespace: yinzhengjie-config
  resourceVersion: "514708"
  selfLink: /api/v1/namespaces/yinzhengjie-config/configmaps/nginx-cfg
  uid: 3b5431ff-26c0-419d-9f26-f646f5b2ed06
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# 

3>.创建Pod时应用ConfigMap存储卷

[root@master200.yinzhengjie.org.cn ~]# vim /yinzhengjie/data/k8s/manifests/basic/configmap/pod-mynginx.yaml 
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/basic/configmap/pod-mynginx.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: mynginx
  namespace: yinzhengjie-config
spec:
  containers:
  - name: mynginx
    image: nginx:1.14-alpine
    volumeMounts:
    - name: config
      mountPath: /etc/nginx/conf.d/
  volumes:
  - name: config
    configMap:
      name: nginx-cfg
      items:
      - key: server01.conf
        path: server-first.conf
      - key: server-second.conf
        path: server-second.conf
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# 

[root@master200.yinzhengjie.org.cn ~]# kubectl get pods -n yinzhengjie-config -o wide
NAME           READY   STATUS    RESTARTS   AGE   IP            NODE                         NOMINATED NODE   READINESS GATES
pod-cfg-dome   1/1     Running   0          62m   10.244.1.27   node201.yinzhengjie.org.cn   <none>           <none>
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# kubectl apply -f /yinzhengjie/data/k8s/manifests/basic/configmap/pod-mynginx.yaml 
pod/mynginx created
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# kubectl get pods -n yinzhengjie-config -o wide
NAME           READY   STATUS    RESTARTS   AGE   IP            NODE                         NOMINATED NODE   READINESS GATES
mynginx        1/1     Running   0          1s    10.244.1.30   node201.yinzhengjie.org.cn   <none>           <none>
pod-cfg-dome   1/1     Running   0          62m   10.244.1.27   node201.yinzhengjie.org.cn   <none>           <none>
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# 

[root@master200.yinzhengjie.org.cn ~]# kubectl get pods -n yinzhengjie-config -o wide
NAME           READY   STATUS    RESTARTS   AGE   IP            NODE                         NOMINATED NODE   READINESS GATES
mynginx        1/1     Running   0          1s    10.244.1.30   node201.yinzhengjie.org.cn   <none>           <none>
pod-cfg-dome   1/1     Running   0          62m   10.244.1.27   node201.yinzhengjie.org.cn   <none>           <none>
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# kubectl exec mynginx -it -n yinzhengjie-config -- /bin/sh
/ # 
/ # cd /etc/nginx/conf.d/
/etc/nginx/conf.d # 
/etc/nginx/conf.d # ls
server-first.conf   server-second.conf
/etc/nginx/conf.d # 
/etc/nginx/conf.d # ls -l
total 0
lrwxrwxrwx    1 root     root            24 Feb 10 01:15 server-first.conf -> ..data/server-first.conf
lrwxrwxrwx    1 root     root            25 Feb 10 01:15 server-second.conf -> ..data/server-second.conf
/etc/nginx/conf.d # 
/etc/nginx/conf.d # cat server-first.conf 
server {
    server_name master.yinzhengjie.org.cn;
    listen 80;
    location / {
        root "/yinzhengjie/master/html/";
    }
}
/etc/nginx/conf.d # 
/etc/nginx/conf.d # cat server-second.conf 
server {
    server_name master200.yinzhengjie.org.cn;
    listen 80;
    location / {
        root "/yinzhengjie/master200/html/";
    }
}
/etc/nginx/conf.d # 
/etc/nginx/conf.d # netstat -ntl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      
/etc/nginx/conf.d # 
/etc/nginx/conf.d # 

4>.修改ConfigMap的配置文件，验证容器中的配置是否发生改变

[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# kubectl get cm -n yinzhengjie-config 
NAME           DATA   AGE
filebeat-cfg   2      102m
nginx-cfg      2      19m
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# kubectl edit cm nginx-cfg -n yinzhengjie-config
configmap/nginx-cfg edited
[root@master200.yinzhengjie.org.cn ~]# 

[root@master200.yinzhengjie.org.cn ~]# kubectl get pods -n yinzhengjie-config -o wide
NAME           READY   STATUS    RESTARTS   AGE   IP            NODE                         NOMINATED NODE   READINESS GATES
mynginx        1/1     Running   0          11m   10.244.1.30   node201.yinzhengjie.org.cn   <none>           <none>
pod-cfg-dome   1/1     Running   0          73m   10.244.1.27   node201.yinzhengjie.org.cn   <none>           <none>
[root@master200.yinzhengjie.org.cn ~]# 
[root@master200.yinzhengjie.org.cn ~]# kubectl exec mynginx -it -n yinzhengjie-config -- /bin/sh
/ # 
/ # cd /etc/nginx/conf.d/
/etc/nginx/conf.d # 
/etc/nginx/conf.d # ls
server-first.conf   server-second.conf
/etc/nginx/conf.d # 
/etc/nginx/conf.d # cat server-first.conf 
server {
    server_name master.yinzhengjie.org.cn;
    listen 8080;
    location / {
        root "/yinzhengjie/master/html/";
    }
}
/etc/nginx/conf.d # 
/etc/nginx/conf.d # netstat -ntl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      
/etc/nginx/conf.d # 
/etc/nginx/conf.d # nginx -s reload
2020/02/10 01:27:33 [notice] 25#25: signal process started
/etc/nginx/conf.d # 
/etc/nginx/conf.d # netstat -ntl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      
/etc/nginx/conf.d # 
/etc/nginx/conf.d # 

四.使用配置清单的方式创建ConfigMap资源

　　尽管上面我们使用命令行的方式创建ConfigMap资源非常方便，但可复用性差且不利于追踪问题，生产环境建议大家以配置清单的方式创建ConfigMap资源哟。

　　其实我们之前在部署flannel资源时，可能有小伙伴已经发现了一个yaml文件(https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml)，该文件中的确有定义ConfigMap资源的案例，如下图所示。

五.Kerbernetes使用Secret资源配置铭感信息

　　上面已经简单介绍了ConfigMap基于配置清单和命令行的定义和创建方式。如博客标题一样，ConfigMap适用于配置非铭感的配置信息。类似于用户密码这类的铭感信息不建议使用ConfigMap，而推荐使用Secret。

　　Sercret的使用逻辑和ConfigMap并没什么区别，唯一不同的是Secret是被base64编码后存储的。

　　博主推荐阅读:
　　　　https://www.cnblogs.com/yinzhengjie/p/12297046.html