Configmap&Secret of k8s storage

1. Configmap configuration management

(1) Configmap is used to save configuration data, which is stored in the form of key-value pairs.
The configMap resource provides a method for injecting configuration data into the Pod, which aims to decouple the image and the configuration file in order to achieve the portability and reusability of the image.
(2) Typical usage scenarios
1. Fill in the value of environment variables
2. Set the command line parameters in the container
3. Fill the configuration file of the volume
(3) There are 4 ways to create a ConfigMap
1. Create using literal values

kubectl create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2
kubectl get cm
kubectl describe cm my-config
kubectl get cm my-config -o yaml

2. Use file creation

kubectl create configmap my-config-2 --from-file=/etc/resolv.conf  #key的名称是文件名称，value的值是这个文件的内容
kubectl describe cm my-config-2 

3. Use directory creation

kubectl create configmap my-config-3 --from-file=test  #目录中的文件名为key，文件内容是value

4. Write the yaml file creation of configmap

vim cm1.yml
apiVersion: v1
kind: ConfigMap
metadata:
  name: cm1-config
data:
  db_host: "172.25.2.250"
  db_port: "3306"

kubectl apply -f cm1.yml
kubectl describe cm cm1-config

(4) Use configmap
1. Pass directly to pod through environment variables
(1) Redefine the key of cm1-config

vim pod1.yml
apiVersion: v1
kind: Pod
metadata:
  name: pod1
spec:
  containers:
    - name: pod1
      image: busyboxplus
      command: ["/bin/sh", "-c", "env"]
      env:
        - name: key1
          valueFrom:
            configMapKeyRef:
              name: cm1-config
              key: db_host
        - name: key2
          valueFrom:
            configMapKeyRef:
              name: cm1-config
              key: db_port
  restartPolicy: Never

kubectl apply -f pod1.yml
kubectl logs pod1 

(2) Use cm1-config directly

apiVersion: v1
kind: Pod
metadata:
  name: pod2
spec:
  containers:
    - name: pod2
      image: busyboxplus
      command: ["/bin/sh", "-c", "env"]
      #command: ["/bin/sh", "-c", "echo $(db_host) $(db_port)"]
      envFrom:
        - configMapRef:
            name: cm1-config
  restartPolicy: Never

2. By running under the command line of the pod

command: ["/bin/sh", "-c", "echo $(db_host) $(db_port)"]

3. Mount into the pod as a volume
(1) The container does not need to be restarted

apiVersion: v1
kind: Pod
metadata:
  name: pod3
spec:
  containers:
    - name: pod3
      image: busyboxplus
      stdin: true
      tty: true
      volumeMounts:
      - name: config-volume
        mountPath: /config
  volumes:
    - name: config-volume
      configMap:
        name: cm1-config

# configmap热更新,Pod数据并不会实时更新，需要等待几秒
kubectl edit cm cm1-config
kubectl attach pod3 -it

(2) Like the port modification of nginx and http, the service needs to be restarted and reloaded. After the configmap is hot updated, the container needs to be updated on a rolling basis.

#a configmap创建
vim default.conf
 server {
    listen       8080;
    server_name  _;

    location / {
        root /usr/share/nginx/html;
        index  index.html index.htm;
    }
}

kubectl create configmap nginx-config --from-file=default.conf

#b  使用configmap
vim demo.yml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: myapp
  template:
    metadata:
      labels:
        app: myapp
    spec:
      containers:
      - name: myapp
        image: myapp:v1
        volumeMounts:
        - name: config-volume
          mountPath: /etc/nginx/conf.d
      volumes:
        - name: config-volume
          configMap:
            name: nginx-config

kubectl apply -f demo.yml

#c 热更新configmap
kubectl edit cm nginx-config
kubectl exec demo-7c9466878-nj5hv -- cat /etc/nginx/conf.d/default.conf

#d 需要手动触发Pod滚动更新, 这样才能再次加载nginx.conf配置文件
每次通过修改“version/config”来触发Pod滚动更新,使用configmap挂载的env环境变量是不会更新的
kubectl patch deployments.apps demo --patch '{"spec": {"template": {"metadata": {"annotations": {"version/config": "2021022601"}}}}}'

2. Secret configuration management

(1) The Secret object type is used to store sensitive information, such as passwords, OAuth tokens, and ssh keys. Sensitive information is more secure and flexible in secret than in Pod definitions or container images.
(2) Pod can use secret in two ways:
1. As a file in the volume, it is mounted to one or more containers in the pod.
2. Used when kubelet pulls images for pod.
(3) Secret type:
1. Service Account: Kubernetes automatically creates a secret containing credentials to access the API, and automatically modifies the pod to use this type of secret.
2. Opaque: Use base64 encoding to store information, and you can get the original data through base64 --decode decoding, so the security is weak.
3.kubernetes.io/dockerconfigjson: used to store the authentication information of the docker registry

kubectl get sa
kubectl describe sa default
kubectl get secrets  #每个namespace下有一个名为default的默认的ServiceAccount对象
kubectl describe pod demo-7c9466878-nj5hv   #ServiceAccount里有一个名为Tokens的可以作为Volume一样被Mount到Pod里的Secret，当Pod启动时这个Secret会被自动Mount到Pod的指定目录下，用来协助完成Pod中的进程访问API Server时的身份鉴权过程
kubectl exec demo-7c9466878-nj5hv -- ls /var/run/secrets/kubernetes.io/serviceaccount  #serviceaccout 创建时 Kubernetes 会默认创建对应的 secret.对应的 secret 会自动挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目录中

(4) Create
1. Create Secret from file

echo -n 'admin' > ./username.txt
echo -n 'westos' > ./password.txt
kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt  #如果密码具有特殊字符，则需要使用 \ 字符对其进行转义
kubectl get secrets

kubectl get secrets db-user-pass -o yaml  #默认情况下 kubectl get和kubectl describe 为了安全是不会显示密码的内容,可以通过该方式查看

2.yaml file

vim mysecret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: d2VzdG9z

kubectl get secrets

(5) Mount Secret to Volume
1. Mount directly

apiVersion: v1
kind: Pod
metadata:
  name: mysecret
spec:
  containers:
  - name: demo
    image: myapp:v1
    volumeMounts:
    - name: secrets
      mountPath: "/secret"
      readOnly: true
  volumes:
  - name: secrets
    secret:
      secretName: mysecret
      #items:  #下面的2
      #- key: username
      #  path: my-group/my-username

2. Map the secret key to the specified path

3. Set Secret as an environment variable

apiVersion: v1
kind: Pod
metadata:
  name: secret-env
spec:
  containers:
  - name: nginx
    image: myapp:v1
    env:
      - name: SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: username
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: password

kubectl apply -f env.yml
kubectl get pod
kubectl exec secret-env -- env  #环境变量读取Secret很方便，但无法支撑Secret动态更新

4. Private warehouse certification

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
    - name: myapp
      image: reg.westos.org/test/myapp:v1
  imagePullSecrets:
    - name: myregistrykey

# 创建私有仓库认证secret
kubectl create secret docker-registry myregistrykey --docker-server=reg.westos.org --docker-username=admin --docker-password=westos [email protected]  #kubernetes.io/dockerconfigjson用于存储docker registry的认证信息

# 查看认证信息
kubectl get secrets myregistrykey -o yaml| less
echo eyJhdXRocyI6eyJyZWcud2VzdG9zLm9yZyI6eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJ3ZXN0b3MiLCJlbWFpbCI6InNlcnZlckB0ZXN0Lm9yZyIsImF1dGgiOiJZV1J0YVc0NmQyVnpkRzl6In19fQ== | base64 -d