Kubernetes configuration
Configure the best practice:
Among the 12 elements of cloud native applications, configuration separation is proposed.
Configuration files should be stored in version control before being pushed to the cluster . This allows you to quickly roll back configuration changes if necessary. It also facilitates cluster re-creation and recovery.
Write configuration files using YAML instead of JSON . While these formats can be used interchangeably in almost all scenarios, YAML tends to be more user-friendly.
It is recommended that related objects be grouped into one file. For example guestbook-all-in-one.yaml
Do not specify defaults unless necessary: simple minimal configuration reduces the chance of errors.
Put object descriptions in comments for better introspection.
1. Secret
The Secret object type is used to store sensitive information such as passwords, OAuth tokens, and SSH keys. Putting this information in a secret is more secure and flexible than putting it in a Pod definition or a container image.
A Secret is an object that contains a small amount of sensitive information such as a password, token, or key. Users can create Secrets, and the system also creates some Secrets.
1. Types of Secret
segment type
2. How to reference Pod
To use a Secret, a Pod needs to reference the Secret. Pods can use Secrets in one of three ways:
As a file in a volume mounted on one or more containers. (volume to mount)
Environment variables as containers (referenced by the envFrom field)
Used by kubelet when pulling images for Pods (Secret is of docker-registry type at this time)
Secret 对象的名称必须是合法的 DNS 子域名 。 在为创建 Secret 编写配置文件时,你可以设置 data 与/或 stringData 字段。 data 和 stringData 字段都是可选的。data 字段中所有键值都必须是 base64 编码的字符串。如果不希望执行这种 base64 字符串的转换操作,你可以选择设置 stringData 字段,其中可以使用任何字符串作为其取值。
3、实验
3.1、创建 Secret
generic 类型
## 命令行
#### 1、使用基本字符串
kubectl create secret generic mysecret \
--from-literal=username=devuser \
--from-literal=password='123456'
## 参照以下yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
data:
password: UyFCXCpkJHpEc2I9 ## base64编码了一下
username: ZGV2dXNlcg==
获取 Secret 内容
kubectl get secret mysecret -o jsonpath='{.data}'
3.2、使用 Secret
环境变量引用
apiVersion: v1
kind: Pod
metadata:
name: secret-env-pod
spec:
containers:
- name: mycontainer
image: redis
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
restartPolicy: Never
环境变量引用的方式不会被自动更新
卷挂载
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
readOnly: true
volumes:
- name: foo
secret:
secretName: mysecret
挂载方式的 secret 在 secret 变化的时候会自动更新(子路径引用除外)
二、ConfigMap
ConfigMap 来将你的配置数据和应用程序代码分开。
ConfigMap 是一种 API 对象,用来将非机密性的数据保存到键值对中。使用时,Pods 可以将其用作环境变量、命令行参数或者存储卷中的配置文件。
apiVersion: v1
kind: ConfigMap
metadata:
name: game-demo
data:
# 类属性键;每一个键都映射到一个简单的值
player_initial_lives: "3"
ui_properties_file_name: "user-interface.properties"
# 类文件键
game.properties: |
enemy.types=aliens,monsters
player.maximum-lives=5
user-interface.properties: |
color.good=purple
color.bad=yellow
allow.textmode=true
你可以使用四种方式来使用 ConfigMap 配置 Pod 中的容器:
在容器命令和参数内
容器的环境变量
在只读卷里面添加一个文件,让应用来读取
编写代码在 Pod 中运行,使用 Kubernetes API 来读取 ConfigMap
apiVersion: v1
kind: Pod
metadata:
name: configmap-demo-pod
spec:
containers:
- name: demo
image: alpine
command: ["sleep", "3600"]
env:
# 定义环境变量
- name: PLAYER_INITIAL_LIVES # 请注意这里和 ConfigMap 中的键名是不一样的
valueFrom:
configMapKeyRef:
name: game-demo # 这个值来自 ConfigMap
key: player_initial_lives # 需要取值的键
- name: UI_PROPERTIES_FILE_NAME
valueFrom:
configMapKeyRef:
name: game-demo
key: ui_properties_file_name
volumeMounts:
- name: config
mountPath: "/config"
readOnly: true
volumes:
# 你可以在 Pod 级别设置卷,然后将其挂载到 Pod 内的容器中
- name: config
configMap:
# 提供你想要挂载的 ConfigMap 的名字
name: game-demo
# 来自 ConfigMap 的一组键,将被创建为文件
items:
- key: "game.properties"
path: "game.properties"
- key: "user-interface.properties"
path: "user-interface.properties"
1、使用挂载 ConfigMap
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
readOnly: true
volumes:
- name: foo
configMap:
name: myconfigmap
ConfigMap 的修改,可以触发挂载文件的自动更新