Environment Description:
CPU name | Operating system version | ip | docker version | omelets version | Configuration | Remark |
---|---|---|---|---|---|---|
master | Centos 06/07/1810 | 172.27.9.131 | Docker 18.09.6 | V1.14.2 | 2C2G | master host |
node01 | Centos 06/07/1810 | 172.27.9.135 | Docker 18.09.6 | V1.14.2 | 2C2G | node node |
node02 | Centos 06/07/1810 | 172.27.9.136 | Docker 18.09.6 | V1.14.2 | 2C2G | node node |
k8s cluster deployment see: Centos7.6 deployment k8s (v1.14.2) cluster
k8s learning materials See: basic concepts, kubectl command and information sharing
I. Overview
1. configMap
In a real application deployment, often need to configure various parameters for various applications / middleware, databases such as address, user name and password, and application configuration most production environments more complex, perhaps more than Config file a combination of command-line arguments and environment variables. To accomplish this task There are a variety of programs, such as:
- 1. When packaged mirror can be written directly in the application configuration file inside, but the downside of this approach is obvious, because these often need to modify the configuration parameters in the application deployment, or do not know the specific parameter configuration when mirrored, once packaged in the mirror you can not change the configuration. Further, part of the configuration information relates to security information (such as user name, password, etc.), packaged mirror person easily lead to security risks;
- 2. ENV environment variable can be passed in the configuration file inside, but should the modification means to modify yaml ENV file and need to restart all the containers for the job;
- 3. You can take the configuration file in a database or a specific place when the application starts.
Obviously, the first two options are not the best solution, and the third program to implement too much trouble. To solve this problem, kubernetes introduced ConfigMap this API resources to meet this demand.
2. Why do we need ConfigMap and Secret
Secret ConfigMap and two special types of storage volumes on Kubernetes system, as ConfigMap for providing configuration data to customize the behavior of the program for the application of the container, but the configuration of the sensitive information, such as keys, certificates, and other objects typically by a Secret configuration. Their respective configuration information stored in the object, and then stored in the form of a volume to mount and to capture disposed on Pod resources to decouple the configuration and image files.
3. ConfigMap role
- Passing command line parameters to the vessel
- For each container set custom environment variables
- Through a special type of reel mounts profile to the vessel
Second, prepare for work
Fundamentals mirror loong576 / date-random, create a pod date-random-configmap, pod contained in the container centos-date and nginx-server, wherein the container centos-date created by the image loong576 / date-random, by accessing the container nginx-server authentication parameters take effect.
1. mirrored
Mirrored loong576 / date-random and upload dockerhub
[root@master loong576]# more Dockerfile
FROM centos:centos7.6.1810
ADD date-random.sh /usr/bin/date-random
ENTRYPOINT /usr/bin/date-random
[root@master loong576]# more date-random.sh
#!/bin/bash
mkdir /var/htdocs
while :
do
/usr/bin/echo "date is : " `date` >> /var/htdocs/index.html
/usr/bin/echo "RANDOM is : " `echo $RANDOM` >> /var/htdocs/index.html
sleep 5
done
[root@master loong576]# docker build -t loong576/date-random .
Sending build context to Docker daemon 4.096kB
Step 1/3 : FROM centos:centos7.6.1810
---> f1cb7c7d58b7
Step 2/3 : ADD date-random.sh /usr/bin/date-random
---> 58296331ae70
Step 3/3 : ENTRYPOINT /usr/bin/date-random
---> Running in e9a3184518e7
Removing intermediate container e9a3184518e7
---> 07db2452d706
Successfully built 07db2452d706
Successfully tagged loong576/date-random:latest
[root@master loong576]# docker images |grep loong576/date-random
loong576/date-random latest 07db2452d706 24 seconds ago 202MB
Mirror base as centos: centos7.6.1810, date-random.sh script written thereto and executed, runs the script and date echo $ RANDOM command, the output of the former is the current time, which outputs a random number between 0 to 32767, the script cycle time of 5 seconds.
2. Upload dockerhub
[root@master loong576]# docker push loong576/date-random
The push refers to repository [docker.io/loong576/date-random]
ec4ecb05d6b3: Pushed
89169d87dbe2: Layer already exists
latest: digest: sha256:a680438f09b92f40b38f3da5f9ea34e4b3561c540f1093d9cbcc2385c0184551 size: 736
Before uploading to dockerhub need to perform login operation docker login
3. Verify that the mirror
[root@master loong576]# more date-random-configmap.yaml
apiVersion: v1
kind: Pod
metadata:
name: date-random-configmap
spec:
containers:
- image: loong576/date-random
name: centos-date
volumeMounts:
- name: html
mountPath: /var/htdocs
- image: nginx
name: nginx-server
volumeMounts:
- name: html
mountPath: /usr/share/nginx/html
readOnly: true
volumes:
- name: html
emptyDir: {}
[root@master loong576]# kubectl apply -f date-random-configmap.yaml
pod/date-random-configmap created
[root@master loong576]# kubectl get po -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
date-random-configmap 2/2 Running 0 14s 10.244.1.203 node01 <none> <none>
[root@master loong576]# curl 10.244.1.203
date is : Mon Sep 16 02:51:21 UTC 2019
RANDOM is : 17563
date is : Mon Sep 16 02:51:26 UTC 2019
RANDOM is : 434
date is : Mon Sep 16 02:51:31 UTC 2019
RANDOM is : 18246
date is : Mon Sep 16 02:51:36 UTC 2019
RANDOM is : 2225
Run date-random-configmap.yaml and access to the container nginx-server (nginx default port 80), the output of every 5 seconds found that date and the random number, in line with expectations.
Third, the configuration data container transfer
ENTRYPOINT and CMD 1. container
Dockerfile both instructions are defined in the command parameters of these two parts:
- ENTRYPOINT define the command to run when the container starts.
- CMD specifies the parameters passed to ENTRYPOINT.
CMD can also execute commands, usually the default startup command.
k8s with ENTRYPOINT and CMD corresponding follows:
Docker | Kubernetes | Explanation |
---|---|---|
ENTRYPOINT | command | 在容器中执行可执行程序 |
CMD | args | 传递给可执行程序的参数 |
pod中指定自定义命令和参数
[root@master loong576]# more nginx.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
command: ["/bin/echo"]
args: ["hello","world"]
[root@master loong576]# kubectl apply -f nginx.yaml
pod/nginx created
[root@master loong576]# kubectl logs nginx
hello world
可以查看日志可以看到pod nginx的输出为'hello world',与pod里面command和args中的定义一致。
2. 向容器传递命令行参数
2.1 容器的ENTRYPOINT和CMD
容器中运行的完整指令由两部分组成:命令与参数
- ENTRYPOINT定义容器启动时运行的命令。
- CMD指定传递给ENTRYPOINT的参数。
CMD也可以执行命令,一般为默认的启动命令
2.2 循环间隔参数化
[root@master loong576]# more date-random.sh
#!/bin/bash
mkdir /var/htdocs
INTERVAL=$1
while :
do
/usr/bin/echo "date is : " `date` >> /var/htdocs/index.html
/usr/bin/echo "RANDOM is : " `echo $RANDOM` >> /var/htdocs/index.html
sleep $INTERVAL
done
[root@master loong576]# more Dockerfile
FROM centos:centos7.6.1810
ADD date-random.sh /usr/bin/date-random
ENTRYPOINT ["/usr/bin/date-random"]
CMD ["10"]
[root@master loong576]# docker build -t loong576/date-random:args .
Sending build context to Docker daemon 5.12kB
Step 1/4 : FROM centos:centos7.6.1810
---> f1cb7c7d58b7
Step 2/4 : ADD date-random.sh /usr/bin/date-random
---> 307e2f66dfa4
Step 3/4 : ENTRYPOINT ["/usr/bin/date-random"]
---> Running in ab41b93f6b28
Removing intermediate container ab41b93f6b28
---> 5f536f70da1f
Step 4/4 : CMD ["10"]
---> Running in 90f5d58c68fb
Removing intermediate container 90f5d58c68fb
---> 8bf9ce828481
Successfully built 8bf9ce828481
Successfully tagged loong576/date-random:args
[root@master loong576]# docker push loong576/date-random:args
The push refers to repository [docker.io/loong576/date-random]
200d475bbffa: Pushed
89169d87dbe2: Layer already exists
args: digest: sha256:08e4c791dc9d6b71ce45b13768ab09194cc11ecd4856b52f2719372d912ee9c1 size: 736
将之前的循环间隔5秒修改为参数INTERVAL,在Dockerfile中传递该参数值为10秒,上传dockerhub。Dockerfile中ENTRYPOINT和CMD后面的[]表明执行格式为Exec,区别于之前的Shell格式。
2.3 Docker运行带参数镜像
[root@master loong576]# docker run -itd --name centos-args loong576/date-random:args
159e3204dad64516adc4681e9d7b1fe9f4d11a178e3cca7e9a9f13fd10252a43
[root@master loong576]# docker run -d --name centos-args loong576/date-random:args
ee938a39167afb52fe72f9367ad23d9e8b2985037320ad1ccc6ec7e3f9bc9255
[root@master loong576]# docker exec -it centos-args sh
sh-4.2# [root@master loong576]#
[root@master loong576]#
[root@master loong576]#
[root@master loong576]# docker run -it --name centos-args loong576/date-random:args
[root@master loong576]# docker run -itd --name centos-args loong576/date-random:args
2a25e91a0f5b54c1c568ce089d879d50cd9a12513be5d365dc5743d74f2ac737
[root@master loong576]# docker ps |grep centos
2a25e91a0f5b loong576/date-random:args "/usr/bin/date-rando…" 18 seconds ago Up 16 seconds centos-args
[root@master loong576]# docker exec -it centos-args sh
sh-4.2# cd /var/htdocs/
sh-4.2# ls -alrt
total 4
drwxr-xr-x 1 root root 20 Sep 16 07:24 ..
drwxr-xr-x 2 root root 24 Sep 16 07:24 .
-rw-r--r-- 1 root root 234 Sep 16 07:25 index.html
sh-4.2# tail -f index.html
date is : Mon Sep 16 07:24:31 UTC 2019
RANDOM is : 26700
date is : Mon Sep 16 07:24:41 UTC 2019
RANDOM is : 13556
date is : Mon Sep 16 07:24:51 UTC 2019
RANDOM is : 7320
date is : Mon Sep 16 07:25:01 UTC 2019
RANDOM is : 6041
date is : Mon Sep 16 07:25:11 UTC 2019
RANDOM is : 23591
^C
sh-4.2#
index.html输出的巡检间隔为10秒,证明Dockerfile设置生效。
2.4 Docker直接指定参数运行镜像
指定循环间隔为3秒
[root@master loong576]# docker run -itd --name centos-args2 loong576/date-random:args 3
498e48dabb0b2eb15366286d7cfd317774cf993a98c19310e3b3fe2aad9d8d6a
[root@master loong576]# docker ps |grep centos
498e48dabb0b loong576/date-random:args "/usr/bin/date-rando…" 7 seconds ago Up 5 seconds centos-args2
2a25e91a0f5b loong576/date-random:args "/usr/bin/date-rando…" 6 minutes ago Up 6 minutes centos-args
[root@master loong576]# docker exec -it centos-args2 sh
sh-4.2# tail -f /var/htdocs/index.html
date is : Mon Sep 16 07:31:24 UTC 2019
RANDOM is : 17156
date is : Mon Sep 16 07:31:27 UTC 2019
RANDOM is : 30995
date is : Mon Sep 16 07:31:30 UTC 2019
RANDOM is : 24714
date is : Mon Sep 16 07:31:33 UTC 2019
RANDOM is : 11670
date is : Mon Sep 16 07:31:36 UTC 2019
RANDOM is : 32253
date is : Mon Sep 16 07:31:39 UTC 2019
RANDOM is : 18917
^C
sh-4.2#
可以看到index.html的输出间隔时间为3秒
2.5 pod中定义传递的参数值
定义pod date-random-configmap-args,设置传递容器的参数值为4.
[root@master loong576]# more date-random-configmap-args.yaml
apiVersion: v1
kind: Pod
metadata:
name: date-random-configmap-args
spec:
containers:
- image: loong576/date-random:args
args: ["4"]
name: centos-date
volumeMounts:
- name: html
mountPath: /var/htdocs
- image: nginx
name: nginx-server
volumeMounts:
- name: html
mountPath: /usr/share/nginx/html
readOnly: true
volumes:
- name: html
emptyDir: {}
[root@master loong576]# kubectl apply -f date-random-configmap-args.yaml
pod/date-random-configmap-args created
[root@master loong576]# kubectl get po -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
date-random-configmap 2/2 Running 0 5h2m 10.244.1.203 node01 <none> <none>
date-random-configmap-args 2/2 Running 0 100s 10.244.2.209 node02 <none> <none>
nginx 0/1 CrashLoopBackOff 20 81m 10.244.1.205 node01 <none> <none>
[root@master loong576]# curl 10.244.2.209
date is : Mon Sep 16 07:52:37 UTC 2019
RANDOM is : 5067
date is : Mon Sep 16 07:52:41 UTC 2019
RANDOM is : 1512
date is : Mon Sep 16 07:52:45 UTC 2019
RANDOM is : 30707
date is : Mon Sep 16 07:52:49 UTC 2019
RANDOM is : 9853
date is : Mon Sep 16 07:52:53 UTC 2019
RANDOM is : 4578
date is : Mon Sep 16 07:52:57 UTC 2019
RANDOM is : 22461
date is : Mon Sep 16 07:53:01 UTC 2019
RANDOM is : 23571
date is : Mon Sep 16 07:53:05 UTC 2019
RANDOM is : 27206
date is : Mon Sep 16 07:53:09 UTC 2019
RANDOM is : 5840
date is : Mon Sep 16 07:53:13 UTC 2019
RANDOM is : 16860
date is : Mon Sep 16 07:53:17 UTC 2019
RANDOM is : 3697
date is : Mon Sep 16 07:53:21 UTC 2019
RANDOM is : 24393
date is : Mon Sep 16 07:53:25 UTC 2019
RANDOM is : 6753
index.html的输出时间间隔为4秒,与pod的args设置的值一致。
3. 为容器设置环境变量
3.1 生成镜像loong576/date-random:env
[root@master loong576]# more date-random.sh
#!/bin/bash
mkdir /var/htdocs
#INTERVAL=$1
while :
do
/usr/bin/echo "date is : " `date` >> /var/htdocs/index.html
/usr/bin/echo "RANDOM is : " `echo $RANDOM` >> /var/htdocs/index.html
sleep $INTERVAL
done
[root@master loong576]# more Dockerfile
FROM centos:centos7.6.1810
ADD date-random.sh /usr/bin/date-random
ENTRYPOINT ["/usr/bin/date-random"]
#CMD ["10"]
[root@master loong576]# docker build -t loong576/date-random:env .
Sending build context to Docker daemon 6.144kB
Step 1/3 : FROM centos:centos7.6.1810
---> f1cb7c7d58b7
Step 2/3 : ADD date-random.sh /usr/bin/date-random
---> 1ddb8d15b11d
Step 3/3 : ENTRYPOINT ["/usr/bin/date-random"]
---> Running in e34374da108a
Removing intermediate container e34374da108a
---> b5daa0cf4479
Successfully built b5daa0cf4479
Successfully tagged loong576/date-random:env
[root@master loong576]# docker push loong576/date-random:env
The push refers to repository [docker.io/loong576/date-random]
5a389d8a01f4: Pushed
89169d87dbe2: Layer already exists
env: digest: sha256:f51c0831235a559e589ede54226d9f387966bea45435026acafad5416eba5e69 size: 736
生成镜像loong576/date-random:env,该镜像相比loong576/date-random:args主要是注释脚本中的参数传递'INTERVAL=$1'和Dockerfile中指定的参数值'CMD ["10"]'
3.2 pod中指定环境变量
新建pod date-random-configmap-env并指定环境变量INTERVAL,赋值为6
[root@master loong576]# more date-random-configmap-env.yaml
apiVersion: v1
kind: Pod
metadata:
name: date-random-configmap-env
spec:
containers:
- image: loong576/date-random:env
env:
- name: INTERVAL
value: "6"
name: centos-date
volumeMounts:
- name: html
mountPath: /var/htdocs
- image: nginx
name: nginx-server
volumeMounts:
- name: html
mountPath: /usr/share/nginx/html
readOnly: true
volumes:
- name: html
emptyDir: {}
[root@master loong576]# kubectl apply -f date-random-configmap-env.yaml
pod/date-random-configmap-env created
[root@master loong576]# kubectl get po -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
date-random-configmap 2/2 Running 0 5h29m 10.244.1.203 node01 <none> <none>
date-random-configmap-args 2/2 Running 0 29m 10.244.2.209 node02 <none> <none>
date-random-configmap-env 2/2 Running 0 4m20s 10.244.1.208 node01 <none> <none>
nginx 0/1 CrashLoopBackOff 8 18m 10.244.1.206 node01 <none> <none>
[root@master loong576]# curl 10.244.1.208
date is : Mon Sep 16 08:16:50 UTC 2019
RANDOM is : 30120
date is : Mon Sep 16 08:16:56 UTC 2019
RANDOM is : 8149
date is : Mon Sep 16 08:17:02 UTC 2019
RANDOM is : 2752
date is : Mon Sep 16 08:17:08 UTC 2019
RANDOM is : 20276
date is : Mon Sep 16 08:17:14 UTC 2019
RANDOM is : 19299
date is : Mon Sep 16 08:17:21 UTC 2019
RANDOM is : 20116
date is : Mon Sep 16 08:17:27 UTC 2019
RANDOM is : 22331
date is : Mon Sep 16 08:17:33 UTC 2019
RANDOM is : 3626
date is : Mon Sep 16 08:17:39 UTC 2019
RANDOM is : 28190
date is : Mon Sep 16 08:17:45 UTC 2019
RANDOM is : 3241
date is : Mon Sep 16 08:17:51 UTC 2019
RANDOM is : 27762
date is : Mon Sep 16 08:17:57 UTC 2019
RANDOM is : 26519
date is : Mon Sep 16 08:18:03 UTC 2019
RANDOM is : 28403
date is : Mon Sep 16 08:18:09 UTC 2019
RANDOM is : 27219
index.html的输出时间间隔为6秒,与pod的env设置的值一致。
四、ConfigMap
通过'三、容器中的配置数据传递',可以将要传递给容器的参数直接定义在镜像中或者pod中通过定义参数值和环境变量方式传递参数给容器,这些方式有如下弊端:
- 1.pod配置不能复用,生产和开发环境需定义两套;
- 2.参数变更时需重启容器;
- 3.镜像中的参数变更需新建镜像;
- 4.不适合分布式环境;
这时就需要ConfigMap,通过Volume的形式被mount到Pod或者环境变量的方式传递参数给容器。
1. 创建configmap
1.1 --from-file指定文件方式
[root@master loong576]# more file1.txt
file1:abc
file1:123
[root@master loong576]# more file2.txt
file2:abcd
file2:1234
[root@master loong576]# kubectl create cm my-config-file --from-file=file1.txt --from-file=test2=file2.txt
configmap/my-config-file created
[root@master loong576]# kubectl get cm
NAME DATA AGE
my-config-file 2 5s
[root@master loong576]# kubectl describe cm my-config-file
Name: my-config-file
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
file1.txt:
----
file1:abc
file1:123
test2:
----
file2:abcd
file2:1234
Events: <none>
创建configmap my-config-file,指定文件为file1.txt和file2.txt,key值分别为默认的file1.txt和指定的test2。
1.2 --from-file指定目录方式
[root@master configmap]# kubectl create configmap my-config-dir --from-file=/root/loong576/configmap/
configmap/my-config-dir created
[root@master configmap]# kubectl get cm
NAME DATA AGE
my-config-dir 2 6s
my-config-file 2 16h
创建configmap my-config-dir,指定目录为/root/loong576/configmap/,该目录下有文件my-nginx-config.conf和sleep-interval,一个为nginx配置,一个为脚本循环时间设置,后面的configmap会用到。
1.3 --from-literal字面量方式
[root@master loong576]# kubectl create cm my-config-literal --from-literal=username=admin --from-literal=password=123456
configmap/my-config-literal created
[root@master loong576]# kubectl get cm
NAME DATA AGE
my-config-dir 2 18m
my-config-file 2 16h
my-config-literal 2 4s
创建configmap my-config-literal,key分别为admin和password
1.4 --from-env-file键值对方式
[root@master loong576]# more bar.env
a=1
b=2
c=3
d=4
e
f=
gggg
h='8'
#i = '9'
j="10"
[root@master loong576]# kubectl create configmap my-config-env --from-env-file=./bar.env
configmap/my-config-env created
[root@master loong576]# kubectl get cm
NAME DATA AGE
my-config-dir 2 23m
my-config-env 9 3s
my-config-file 2 16h
my-config-literal 2 5m35s
键值对方式对格式有一定要求:有效的环境变量名必须由字母字符、数字、''-'或'.'组成,并且不能以数字开头(例如,'.my.env name',或'.my'.env.name',或'.myenvname1',用于验证的regex是'[-.'-z a-z][-.'-u a-za-z0-9]*')
1.5 yaml文件方式
[root@master loong576]# more configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: my-config-yaml
data:
sleep-interval: "15"
[root@master loong576]# kubectl apply -f configmap.yaml
configmap/my-config-yaml created
[root@master loong576]# kubectl get cm
NAME DATA AGE
my-config-dir 2 34m
my-config-env 9 11m
my-config-file 2 16h
my-config-literal 2 16m
my-config-yaml 1 3s
[root@master loong576]# kubectl describe cm my-config-yaml
Name: my-config-yaml
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","data":{"sleep-interval":"15"},"kind":"ConfigMap","metadata":{"annotations":{},"name":"my-config-yaml","namespace":"def...
Data
====
sleep-interval:
----
15
Events: <none>
创建configmap my-config-yaml,指定key值sleep-interval为15
2. 使用configmap
2.1 新建pod date-random-configmap-volume
创建pod date-random-configmap-volume,给容器centos-date传递ConfigMap条目sleep-interval作为环境变量;将ConfigMap作为卷挂载至容器nginx-server作为nginx配置文件
[root@master loong576]# more date-random-configmap-volume.yaml
apiVersion: v1
kind: Pod
metadata:
name: date-random-configmap-volume
spec:
containers:
- image: loong576/date-random:env #容器centos-date使用的镜像,tag为env
env:
- name: INTERVAL #环境变量名为INTERVAL,与脚本date-random.sh中定义的保持一致
valueFrom:
configMapKeyRef: #使用ConfigMap初始化
name: my-config-dir #ConfigMap名称
key: sleep-interval #环境变量的值被设置为ConfigMap下sleep-interval对应的值
name: centos-date
volumeMounts:
- name: html
mountPath: /var/htdocs #挂载emptyDir卷的位置
- image: nginx
name: nginx-server
volumeMounts:
- name: html
mountPath: /usr/share/nginx/html #挂载emptyDir卷的位置
readOnly: true
- name: config
mountPath: /etc/nginx/conf.d #挂载ConfigMap卷的位置
readOnly: true
volumes:
- name: html
emptyDir: {}
- name: config
configMap:
name: my-config-dir #定义卷类型为ConfigMap,名字为my-config-dir
items: #选择包含在卷中的条目
- key: my-nginx-config.conf #被挂载的条目为my-nginx-config.conf
path: nginx-port.conf #挂载至容器的文件名
[root@master loong576]# kubectl apply -f date-random-configmap-volume.yaml
pod/date-random-configmap-volume created
[root@master loong576]# kubectl get po -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
date-random-configmap 2/2 Running 2 29h 10.244.1.211 node01 <none> <none>
date-random-configmap-args 2/2 Running 2 24h 10.244.2.210 node02 <none> <none>
date-random-configmap-env 2/2 Running 2 24h 10.244.1.209 node01 <none> <none>
date-random-configmap-volume 2/2 Running 0 20s 10.244.1.216 node01 <none> <none>
nginx 0/1 CrashLoopBackOff 113 24h 10.244.1.212 node01 <none> <none>
通过挂载ConfigMap更新nginx配置原理:Nginx需读取配置文件/etc/nginx/nginx.conf, 默认配置文件会自动嵌入子文件夹/etc/nginx/conf.d/下的所有conf文件, 因此只需要将你的配置文件置于该子文件夹中即可
2.2 访问测试
[root@master loong576]# curl 10.244.1.216:81
date is : Tue Sep 17 08:27:34 UTC 2019
RANDOM is : 9389
date is : Tue Sep 17 08:27:42 UTC 2019
RANDOM is : 22109
date is : Tue Sep 17 08:27:50 UTC 2019
RANDOM is : 13043
访问pod,nginx端口为81,date输出的间隔为8秒
[root@master loong576]# kubectl exec -it date-random-configmap-volume -c nginx-server sh
# cd /etc/nginx/conf.d
# ls
nginx-port.conf
# more nginx-port.conf
server {
listen 81;
server_name localhost;
gzip on;
gzip_types text/plain application/xml;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
进入容器nginx-server,/etc/nginx/conf.d下发现作为卷挂载的ConfigMap条目nginx-port.conf
3. 更新应用配置
3.1 更新ConfigMap
[root@master loong576]# kubectl edit cm my-config-dir
更新my-config-dir,将条目my-nginx-config.conf的nginx监听端口由81更改为82
3.2 nginx加载配置
# nginx -s reload
由于nginx不会自动加载配置,故需重新加载
3.3 再次访问nginx
[root@master loong576]# curl 10.244.1.216:82
date is : Tue Sep 17 08:27:34 UTC 2019
RANDOM is : 9389
date is : Tue Sep 17 08:27:42 UTC 2019
RANDOM is : 22109
date is : Tue Sep 17 08:27:50 UTC 2019
RANDOM is : 13043
再次访问nginx,端口变为82.
使用ConfigMap更新配置文件可避免pod重启或容器重建。
五、Secret
为了存储与分发此类信息,Kubemetes提供了一种称为Secret的单独资源对象。Secret结构与ConfigMap类似,均是键/值对的映射。
Secret作用:
- 将 Secret 条目作为环境变量传递给容器
- 将 Secret 条目暴露为卷中的文件
1. 创建Secret
和ConfigMap类似,Secret也有5中创建方式
使用文件、目录和字面量方式:
[root@master loong576]# kubectl create secret generic mysecret --from-file=./username.txt --from-file=mypassword=./password.txt --from-literal=loong=576 --from-file=./secret-dir/
secret/mysecret created
[root@master loong576]# kubectl get secrets mysecret
NAME TYPE DATA AGE
mysecret Opaque 5 15s
secret有三种类型:
- docker-registry 创建一个给Docker registry使用的secret
- generic 从本地file, directory或者literal value创建一个secret
- tls 创建一个TLS secret
这里使用的是generic方式,后面还会用到docker-registry方式。
键值对方式:
[root@master loong576]# kubectl create secret generic mysecret-env --from-env-file=secret-env.txt
secret/mysecret-env created
[root@master loong576]# kubectl get secrets
NAME TYPE DATA AGE
default-token-gwhj2 kubernetes.io/service-account-token 3 2m29s
mysecret Opaque 5 103s
mysecret-env Opaque 3 7s
yaml方式:
[root@master loong576]# echo loong|base64
bG9vbmcK
[root@master loong576]# echo 576|base64
NTc2Cg==
[root@master loong576]# more secret-yaml.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret-yaml
data:
username: bG9vbmcK
password: NTc2Cg==
[root@master loong576]# kubectl apply -f secret-yaml.yaml
secret/mysecret-yaml created
[root@master loong576]# kubectl get secrets
NAME TYPE DATA AGE
default-token-gwhj2 kubernetes.io/service-account-token 3 31m
mysecret Opaque 5 30m
mysecret-env Opaque 3 29m
mysecret-yaml Opaque 2 5s
注意,yaml方式中条目对应的key值对应的value需base64编码,直接写明文会报错。
2. 查看Secret
[root@master loong576]# kubectl get secrets
NAME TYPE DATA AGE
default-token-gwhj2 kubernetes.io/service-account-token 3 36m
mysecret Opaque 5 35m
mysecret-env Opaque 3 33m
mysecret-yaml Opaque 2 4m53s
[root@master loong576]# kubectl describe secrets mysecret
Name: mysecret
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
dir1.txt: 8 bytes
dir2.txt: 8 bytes
loong: 3 bytes
mypassword: 7 bytes
username.txt: 6 bytes
[root@master loong576]# kubectl get secrets mysecret -o yaml
apiVersion: v1
data:
dir1.txt: dGVzdDAwMQo=
dir2.txt: dGVzdDAwMgo=
loong: NTc2
mypassword: YWJjMTIzCg==
username.txt: YWRtaW4K
kind: Secret
metadata:
creationTimestamp: "2019-09-18T01:55:47Z"
name: mysecret
namespace: default
resourceVersion: "2643256"
selfLink: /api/v1/namespaces/default/secrets/mysecret
uid: 6ebdc96c-d9b7-11e9-863b-000c29d99ba3
type: Opaque
[root@master loong576]# echo dGVzdDAwMQo=|base64 --decode
test001
通过'kubectl get secrets'查看所有secret,通过'kubectl describe secrets mysecret'查看条目key值,通过'kubectl get secrets mysecret -o yaml'可查看条目的value值,不过需要base64解码。
3. 使用Secret
本文以使用Secret拉取私有镜像为例介绍Secret的用法。
3.1 创建secret docker-registry
[root@master loong576]# kubectl create secret docker-registry loong576-secret --docker-username=loong576 --docker-password=xxxxxxxxxx [email protected]
secret/loong576-secret created
[root@master loong576]# kubectl get secrets loong576-secret
NAME TYPE DATA AGE
loong576-secret kubernetes.io/dockerconfigjson 1 16s
[root@master loong576]#
创建secret docker-registry:loong576-secret,dockerhub的用户名密码和邮箱根据个人的实际情况填写。
3.2 创建私有镜像loong576/test
在dockerhub上创建私有镜像loong576/test
3.3 创建pod private-pod-secret
[root@master loong576]# more private-image-secret-volume.yaml
apiVersion: v1
kind: Pod
metadata:
name: private-pod-secret
spec:
imagePullSecrets:
- name: loong576-secret #引用创建的docker-registry secret:loong576-secret
containers:
- image: loong576/test #拉取私有镜像
name: busybox576
args: ["/bin/sh","-c","sleep 600000"]
volumeMounts:
- name: vol-secret
mountPath: /etc/loong576 #将卷挂载至容器的路径
readOnly: true
volumes:
- name: vol-secret #将secret作为卷挂载,卷名为vol-secret
secret:
secretName: mysecret-yaml #引用之前创建的secret mysecret-yaml
[root@master loong576]# kubectl apply -f private-image-secret-volume.yaml
pod/private-pod-secret created
[root@master loong576]# kubectl get po -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
date-random-configmap 2/2 Running 4 2d 10.244.1.217 node01 <none> <none>
date-random-configmap-args 2/2 Running 4 43h 10.244.2.213 node02 <none> <none>
date-random-configmap-env 2/2 Running 4 42h 10.244.1.220 node01 <none> <none>
date-random-configmap-volume 2/2 Running 2 18h 10.244.1.221 node01 <none> <none>
nginx 0/1 CrashLoopBackOff 156 43h 10.244.1.218 node01 <none> <none>
private-pod-secret 1/1 Running 0 45s 10.244.2.218 node02 <none> <none>
创建pod private-pod-secret,使用secret loong576-secret拉取私有镜像,将secret mysecret-yaml作为卷挂载至容器。
3.4 pod中查看secret
[root@master loong576]# kubectl exec -it private-pod-secret sh
/ # df -h
Filesystem Size Used Available Use% Mounted on
overlay 5.0G 3.5G 1.5G 70% /
tmpfs 64.0M 0 64.0M 0% /dev
tmpfs 909.8M 0 909.8M 0% /sys/fs/cgroup
tmpfs 909.8M 8.0K 909.8M 0% /etc/loong576
/dev/mapper/root--vg-var
5.0G 3.5G 1.5G 70% /dev/termination-log
/dev/mapper/root--vg-var
5.0G 3.5G 1.5G 70% /etc/resolv.conf
/dev/mapper/root--vg-var
5.0G 3.5G 1.5G 70% /etc/hostname
/dev/mapper/root--vg-var
5.0G 3.5G 1.5G 70% /etc/hosts
shm 64.0M 0 64.0M 0% /dev/shm
tmpfs 909.8M 12.0K 909.8M 0% /var/run/secrets/kubernetes.io/serviceaccount
tmpfs 909.8M 0 909.8M 0% /proc/acpi
tmpfs 64.0M 0 64.0M 0% /proc/kcore
tmpfs 64.0M 0 64.0M 0% /proc/keys
tmpfs 64.0M 0 64.0M 0% /proc/timer_list
tmpfs 64.0M 0 64.0M 0% /proc/timer_stats
tmpfs 64.0M 0 64.0M 0% /proc/sched_debug
tmpfs 909.8M 0 909.8M 0% /proc/scsi
tmpfs 909.8M 0 909.8M 0% /sys/firmware
/ # cd /etc/loong576/
/etc/loong576 # ls -l
total 0
lrwxrwxrwx 1 root root 15 Sep 18 03:15 password -> ..data/password
lrwxrwxrwx 1 root root 15 Sep 18 03:15 username -> ..data/username
/etc/loong576 # more username
loong
/etc/loong576 # more password
576
进入容器查看secret,发现/etc/loong576下作为卷挂载的secret;/etc/loong576文件系统类型为tmpfs,说明secret卷采用内存文件系统挂载,secret数据不会写入磁盘,保证数据安全。
4. 更新Secret
[root@master loong576]# echo loong-update|base64
bG9vbmctdXBkYXRlCg==
[root@master loong576]# echo 576-update|base64
NTc2LXVwZGF0ZQo=
[root@master loong576]# kubectl edit secret mysecret-yaml
secret/mysecret-yaml edited
Update mysecret-yaml, found mounted container contents are updated simultaneously.
In this paper all scripts and configuration files have been uploaded: K8S practice (eight): ConfigMap and Secret