https://github.com/bogeit/LearnK8s/blob/main/%E7%AC%AC7%E5%85%B3%20k8s%E6%9E%B6%E6%9E%84%E5%B8%88%E8%AF%BE%E7%A8%8B%E4%B9%8B%E9%85%8D%E7%BD%AE%E7%AE%A1%E7%90%86.md
具體參考視頻
下面有幾個配置文件相當的關鍵要重點對配置文件進行說明
第7關 k8s架構師課程之配置管理
大家好,我是博哥愛運維,K8s是如何來進行服務配置管理的呢?這節課博哥帶大家來攻克這關。
Configmap, secret
對於容器而言,如果我們想修改一個容器鏡像里面的配置,可以在Dockerfile這一步,將修改好的配置復制到鏡像里面再重新打包,對於不用變動配置的鏡像而言,這樣做屬於硬編碼當然也可以,但一旦我們的鏡像服務需要修改配置,那么就需要重新重新打包非常麻煩,對於K8s而言,對於配置這么重要的一個環節,自然有它的解決方案,那就是configmap(通常普通配置使用)和secret(對於一些機密配置信息使用),在上面的部分章節里面,有提前涉及到這部分內容,但沒有進行仔細的講解,這里就對它們作下詳細的實踐。
我這里會准備一個deployment的yaml配置,用busybox來作為服務鏡像,通過一個完整的yaml就可以快速帶你們理解並能熟練在K8s上使用configmap和secret,如果一下子理解不了,后面可以保存這份yaml來作來生產配置參考也是沒問題的,用多了自然就熟了,yaml配置如下:
--- # configmap # kubectl create configmap localconfig-env --from-literal=log_level_test=TEST --from-literal=log_level_produce=PRODUCE apiVersion: v1 kind: ConfigMap metadata: name: localconfig-env data: log_level_test: TEST log_level_produce: PRODUCE --- # configmap # kubectl create configmap localconfig-file --from-file=localconfig-test=localconfig-test.conf --from-file=localconfig-produce=localconfig-produce.conf apiVersion: v1 kind: ConfigMap metadata: name: localconfig-file data: localconfig-produce: | TEST_RELEASE = False PORT = 80 PROCESSES = 0 MESSAGE = Produce localconfig-test: | TEST_RELEASE = True PORT = 8080 PROCESSES = 1 MESSAGE = Test --- # secret # kubectl create secret generic mysecret --from-literal=mysql-root-password='!QAZ2wsx' --from-literal=redis-root-password='!2Boge' --from-file=my_id_rsa=/root/.ssh/id_rsa --from-file=my_id_rsa_pub=/root/.ssh/id_rsa.pub apiVersion: v1 kind: Secret metadata: name: mysecret namespace: default type: Opaque data: my_id_rsa: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUEVBdG1jMjc0ZnBCOE5rNHNkMGhVYktKcVVjMnZpQUEveTIycUpvME5sVmtOalJtMDNpCmZTbEl6QUtZOWNLWmhxazhWM2lEeW1WSjVUcHM2QXZxK1dtWDMrbTlwS05icEgvOE1tTHk1cG1EaXdoUDNHdzAKeldaeFBmQXZhU2VCcGlwMTBmTmV4TWJUVXdCNjUrU01MSHN4QVlKZnBvS2ZaVDN1TVZpVHhzbWFQNUp2bmpCVgpMdUpVZXpKak4rcTByQjl1Mng5NnI3d1dlcGJSeGx0TmxoUlBhblpxMnJVSEU2Z3BlbjAxYTR3RGhZZU0zZkhWCm1qMnRTYjJUQXlGRjBQdXViNTJZWFhsMXpqdnNVMGNUMCtCcDNTSFlVTkdBZjVab2UxaW83QkZwSHR1TFdWZksKbnowR1cwUDBxK3NTM1VLTHlqaXN5aEYvR0Z4MlA3cjBhYmVYMXdJREFQQUJBb0lCQUFMME01b2JqUG9CaDF1MQpsUCtYdHlSQkJlQ1lVZCs5MDFJcGpWRFNodTVqWjFYaTBzajZDWlNadGFDU0RhcDBqK2tJZ1g1cmNHZUdMb2FqCktFb054Ymc3OEI3SUpIQ3pSejIvSjkxRUh6SFVQdVkxQTBWRmZoaGx5VlRrdHFuSG5XWDJ5RTVlZ0lHV1VFMmcKeGtjbzNlZ1lDVUNXWWIwODVwejdyOG91NzZCcXFZY1oyQVJGZWx1VjZ1ODZyajIzeG1QcGtvaFBLQS9QdERxSApsdmN1cDVHRFkxQ2NNMHFwRXJXejN6NTE4UjYzN1BNQ3hJM2VDaXAwMGhMMDJZdFkva2tvYUhnSHdpRWNYRXowCjhGeHpxR1BUc2VSQnBwcWlTaXh1a1Bjb285b1BuRVhnN25pVGI2VitCMUxZVmdjejVsQlQ0WEZQR1dNYlB6aGMKN0FXNjBBRUNnWUVBMlJQeGpYYThNZkQ5ZnhnVDdha01yZGVpanBETGt3VVVySm5KNVAycWErR1VQSld1N1RhUAozR3RFc0FoSE5VVlJKbHFzYUFJM2hhTGZsSysrSVdQZ3dJaWh2TTVLcnVHdjNzYmFudEltZUpkZmNlTjBqdHR6CmRKc3FFMHorajZ0YkdsNHNDek0wUmJyUEdxN3gwa0lTTkFpWXg3cUIzcUlBVGRkWHArRjVVRmNDZ1lFQTF4dHMKdC9Hc2xBd3JHN1RER2paZTZyNXJDQlloTGlJREptSjBsWXNNdnV1d01WRlcrNjNjQkRvL1pFbVNIbFpMMFhNVwp6dlRUV2x1WHpVTm9HQytDSWk1dDAwaUZsL2tlL3dVcG5qZnhtZm1NRHhNUkN2YzJESlRSeDAzaldzd0U3WTRxCnBLQ0dENTZyQW1hMms2VGJvKzBiWWJZRzBLb0JKM3lyVS94WlJJRUNnWUVBeTh6Qm0wWllXU3EvVTRydmFyakQKUnBLajh1VE51d0dTSDFsaXlzREJ0dmJaajBlYWl1b210ZkdmVXdUeWxYaTJieVBCcVBQcnpETFZaV3A1UGkvZQoyZU5zdFMyWHdBZnliVnlUODNlbzFwNkc1UDErYUlCdkxKSmdNL1BNS21YZDZpdHZmalA0dWc1aFBpdnNIWjNhCktTL0kvL3FCNHRxRkhvK0ZvLzl6UFpFQ2dZQTVQSGhnUFBlZzg5Z3BhS1BnL3VXbWJ3WUh3ZlBVMWtLbVhjQVAKNlZGOEl6amk5M1pDU0ZUdDN4N3VMMUt2dG1JNW5mc3RIQ2FBdnk0WkdON0V5U2hHdHJxbFVlWDB1LzYwKzYzSApDYmJKTjQwYW1nV0kwS0h2R1ZENFRmZTgwOTczNTBYY1NVbEZNUEx0QWErSWZuRmpIbnBGdUcvNTY3V2c3K0tkCjIwVmRnUEtCZ0UrK1BZRUZKK2ZQeGtMeFRweUw5MDVHSVBBS00wM0MzV2J6b0lzSEZzbXZObWN6V2piK2hTWGsKTmVVZ0VNSnhjNytDN21LckkxZEcweFhVcVhqM1dvMjVxY0ZQUFYrMHZ1UmVnWk10aStpTW1zcTUyR29Xdld4egpVbmhpdnpyOXFsV0lzeHVzdTZjbzdxZ1gxeHl5L2d2SGxWYWdrR1hHZi9iSEtqZmVYeHdHCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== my_id_rsa_pub: c3NoLXJzYSBUVFRUQjNOemFDMXljMkVUVFRURFRGVEJUVFRCVEZDMlp6YnZoK2tIdzJUaXgwNkZSc29tcFJ6YStJVEQvTGJhb21nNDJWV0YyTkdZN2VKOUtVak1UcGoxd3BtR3FUeFhlSVBLWlVubE9tem9DK3I1YVpmZjZiMmtvMXVrZi93eVl2TG1tWU9MQ0UvY2JUN05abkU5OEM5cEo0R21LblU1ODE3RXh0TlRUSHJuNUl3c2V6RUJnbCttZ3A5bFBlNHhXSlBHeVpvL2ttK2VNRlV1NGxSN01tTTM2clNzSDI3YkgzcXZ2Qlo2bHRIR1cwMldGRTlxZG1yYXRGY1RxQ2w2ZlRWcmpUT0ZoNHpkOGRXYVBhMUp2Wk1ESVVYRis2NXZuWmhkZVhYT08reEY1eE03NEduZElkaEYwWUIvbG1oN1dLanNFV2tlMjR0WlY4cWZQRlpZNC9TcjZ4TGRGb3ZLT0t6S0VYOFlYSFkvdXZScHQ1Zlggcm9vdEBub2RlLTEK mysql-root-password: IVFBWjJ3c3g= redis-root-password: ITJCb2dl --- apiVersion: apps/v1 kind: Deployment metadata: labels: run: test-busybox name: test-busybox namespace: default spec: replicas: 1 selector: matchLabels: run: test-busybox template: metadata: labels: run: test-busybox spec: containers: - name: test-busybox image: busybox args: - /bin/sh - -c - > echo "-------------------------------------------------"; echo "TEST_ENV is:$(TEST_ENV)"; echo "-------------------------------------------------"; echo "PRODUCE_ENV is:$(PRODUCE_ENV)"; echo "-------------------------------------------------"; echo "secret MYSQL_ROOT_PASSWORD is:$(MYSQL_ROOT_PASSWORD)"; echo "-------------------------------------------------"; echo "secret REDIS_ROOT_PASSWORD is:$(REDIS_ROOT_PASSWORD)"; echo "-------------------------------------------------"; echo "/etc/local_config_test.py body is:"; cat /etc/local_config_test.py; echo "-------------------------------------------------"; echo "/etc/local_config_produce.py body is:"; cat /etc/local_config_produce.py; echo "-------------------------------------------------"; echo "/etc/id_rsa body is:"; cat /etc/id_rsa; echo "-------------------------------------------------"; echo "/etc/id_rsa.pub body is:"; cat /etc/id_rsa.pub; echo "-------------------------------------------------"; ls -ltr /etc; sleep 30000; env: - name: TEST_ENV valueFrom: configMapKeyRef: name: localconfig-env key: log_level_test - name: PRODUCE_ENV valueFrom: configMapKeyRef: name: localconfig-env key: log_level_produce - name: MYSQL_ROOT_PASSWORD valueFrom: secretKeyRef: name: mysecret key: mysql-root-password - name: REDIS_ROOT_PASSWORD valueFrom: secretKeyRef: name: mysecret key: redis-root-password volumeMounts: - name: testconfig mountPath: "/etc/local_config_test.py" subPath: localconfig-test - name: testconfig mountPath: "/etc/local_config_produce.py" subPath: localconfig-produce readOnly: true - name: testsecret mountPath: "/etc/id_rsa" subPath: my_id_rsa readOnly: true - name: testsecret mountPath: "/etc/id_rsa.pub" subPath: my_id_rsa_pub readOnly: true volumes: - name: testconfig configMap: name: localconfig-file defaultMode: 0660 - name: testsecret secret: secretName: mysecret defaultMode: 0600
volumeMounts是只pod要掛載的目錄是/etc/local_config_test.py,實際的磁盤掛載目錄是在volumes中指定的,在volumes中和configMap進行綁定,/etc/local_config_test.py實際掛載的點
是localconfig-file,這里localconfig-file是configmap的名字,但是etc/local_config_test.py實際和localconfig-file這個configmap中那個具體的文件對應的,是有subpath來決定的
mountPath: "/etc/local_config_test.py" subPath: localconfig-test
這里本質上就是將localconfig-file這個configmap中localconfig-test的內容寫入到/etc/local_config_test.py文件中
apiVersion: v1 kind: ConfigMap metadata: name: localconfig-file data: localconfig-produce: | TEST_RELEASE = False PORT = 80 PROCESSES = 0 MESSAGE = Produce localconfig-test: | TEST_RELEASE = True PORT = 8080 PROCESSES = 1 MESSAGE = Test
/etc/local_config_test.py文件中的內容如下
TEST_RELEASE = True PORT = 8080 PROCESSES = 1 MESSAGE = Test
pod啟動成功之后,就可以訪問/etc/local_config_test.py文件內容了
, readOnly: true表示pod不能夠改變掛載點的內容,不能在pod中修改/etc/local_config_test.py文件的內容
defaultMode: 0600是值指/etc/local_config_test.py在要掛載容器內部的文件的權限
/etc/local_config_test.py