Secret详解
ConfigMap可以向Pod内部注入配置信息,但是使用kubectl describe可以很轻易的看到配置信息,所以这对于向pod中的应用传敏感数据时就不太适用了。因而k8s提供了一种Secret资源来将敏感信息进行转换后再保存,而后每次被注入到Pod容器时自动解码,完成信息的还原。
Secret资源是以非加密的形式存储于k8s的api-server后端的etcd中,即便做了转换其也不过是做了base64编码。
Secret的类型
ConfigMap的配置信息基本没有类别之分,但Secret有所不同,根据其用户存在类型的概念;
-
docker-registry:专用于让kubelet启动Pod时从私有镜像仓库pull镜像时,首先认证到Registry时使用; -
tls:专门用于保存tls/ssl用到证书和配对的私钥; -
generic:通用类型,通常用于存储密码数据。
generic类型的Secret
gemeric通用类型;可以存在子类型:
-
--type="kubernetes.io/basic-auth":适用于web端的basic认证 -
--type="kubernetes.io/rbd":适用于ceph认证 -
--type="kubernetes.io/ssh-auth":适用于认证到ssh服务器
generic示例1:
为msyql账号密码创建secret
# 给mysql创建账号密码
root@k8s-master01:~/yaml/chapter06# kubectl create secret generic mysql-root-authn --from-literal=username=root --from-literal=password=darius.com
secret/mysql-root-authn created
# 获取mysql-root-authn
root@k8s-master01:~/yaml/chapter06# kubectl get secret mysql-root-authn -o yaml
apiVersion: v1
data:
password: ZGFyaXVzLmNvbQo= # 此为base64编码后的
username: cm9vdA==
kind: Secret
metadata:
creationTimestamp: "2024-04-16T08:21:21Z"
name: mysql-root-authn
namespace: default
resourceVersion: "216488"
uid: 681cdb7d-73f8-428a-8443-a87ec30c5c05
type: Opaque
# 使用base64解码
root@k8s-master01:~/yaml/chapter06# echo "ZGFyaXVzLmNvbQo=" | base64 -d
darius.com
generic示例2:
在为web服务创建basic认证时需要额外使用--type选项,来指定--type="kubernetes.io/basic-auth"
# 创建secret资源
root@k8s-master01:~# kubectl create secret generic web-basic-authn --from-literal=username=devopser --from-literal=password=darius.com --type="ikubernetes.io/basic-auth"
secret/web-basic-authn created
# 查看详细信息,观察type字段
root@k8s-master01:~# kubectl get secrets web-basic-authn -o yaml
apiVersion: v1
data:
password: ZGFyaXVzLmNvbQo=
username: ZGV2b3BzZXI=
kind: Secret
metadata:
creationTimestamp: "2024-04-16T08:33:34Z"
name: web-basic-authn
namespace: default
resourceVersion: "218171"
uid: f04cf0f7-10c2-4b62-b41d-5c675be3daba
type: ikubernetes.io/basic-auth # 此为kubernetes专用于basic认证所使用的。
其他事项:
另外,保存有专用于ServiceAccount的相关的token信息的Secret资源会使用资源注解来保存其使用场景。
kind: Secret
metadata:
annotations:
kubernetes.io/service-account.name: node-controller
kubernetes.io/service-account.uid: b9f7e593-3e49-411c-87e2-dbd7ed9749c0
资源的元数据:除了name, namespace之外,常用的还有labels, annotations;
-
annotation的名称遵循类似于labels的名称命名格式,但其数据长度不受限制; -
它不能用于被标签选择器作为筛选条件;但常用于为那些仍处于Beta阶段的应用程序提供临时的配置接口; -
管理命令:kubectl annotate TYPE/NAME KEY=VALUE, kubectl annotate TYPE/NAME KEY-
还有一种由kubeadm的bootstrap所使用的token专用的类型,它通常保存于kube-system名称空间,以bootstrap-token-为前缀。
-
--type="bootstrap.kubernetes.io/token"
tls类型secret
TLS类型是一种独特的类型,在创建secret的命令行中,除了类型标识的不同之外,它还需要使用专用的选项--cert和--key。
无论证书和私钥文件名是什么,它们会统一为:
-
tls.crt -
tls.key
tls示例:
创建一个crt和key文件,将其做成tls类型的secret
root@k8s-master01:~/yaml/chapter06/certs2.d# (umask 077;openssl genrsa -out nginx.key 2048)
root@k8s-master01:~/yaml/chapter06/certs2.d# openssl req -new -x509 -key nginx.key -out nginx.crt -subj /C=CN/ST=Shanghai/L=Shanghai/O=DevOps/CN=www.darius.com
root@k8s-master01:~/yaml/chapter06/certs2.d# ls
nginx.crt nginx.key
# 创建tls类型secret
root@k8s-master01:~/yaml/chapter06/certs2.d# kubectl create secret tls nginx-ssl --key=nginx.key --cert=nginx.crt
secret/nginx-ssl created
# 查看secret信息
root@k8s-master01:~/yaml/chapter06/certs2.d# kubectl get secret nginx-ssl -o yaml
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURvekNDQW91Z0F3SUJBZ0lVQXd5WFovc3hKRGlVemxBdi9WSFR0ZVNXaXY0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lURUxNQWtHQTFVRUJoTUNRMDR4RVRBUEJnTlZCQWdNQ0ZOb1lXNW5hR0ZwTVJFd0R3WURWUVFIREFoVAphR0Z1WjJoaGFURVBNQTBHQTFVRUNnd0dSR1YyVDNCek1Sc3dHUVlEVlFRRERCSjNkM2N1Ylhsc2FXNTFlRzl3CmN5NWpiMjB3SGhjTk1qRXdOekUyTURrek1UTTJXaGNOTWpFd09ERTFNRGt6TVRNMldqQmhNUXN3Q1FZRFZRUUcKRXdKRFRqRVJNQThHQTFVRUNBd0lVMmhoYm1kb1lXa3hFVEFQQmdOVkJBY01DRk5vWVc1bmFHRnBNUTh3RFFZRApWUVFLREFaRVpYWlBjSE14R3pBWkJnTlZCQU1NRW5kM2R5NXRlV3hwYm5WNGIzQnpMbU52YlRDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU5idVBJN055QjlGWWtOTk1OTTV3blhrdVR0RVFnaEYKUzZVZVgrVVNtZ2VMZGgzemNnTEczVWRwY3BaSS92SGZ6WFlqK05VYVpNVFNrVVlqYU5GaXhzbzNaV1g5N0tFSwpPWXJsMnBFYnY3dno3KzRocTIwbjkvQzNtWDdkaHFrSFdydmFqRzA5Si9uakxNR2E3Mm1PdmxDcE5zSGdsUGdNClA4cEZ6LzdPQnZIUUkwdjZsRVdaVXJSOE1NcW1SY2ZaTGtPWjJ3bGFmUGJ5RXc4N21wRFVOK2sxdnZKcHV0RjAKRGRKMEdWZERZWE9YcTMxenBmbXVkb3RGbEp1NFFVSHI2QTVXM1A1bEVsY0ZSUVFFaG40ZzB6alhMdjVaM0RzNQpuVWwyLzdHaVczcFgrbVNTVDlZbm12aGdiQ0w5K1pBNFRub08yVjBuZjlET2FwOHNuYVlWRS9zQ0F3RUFBYU5UCk1GRXdIUVlEVlIwT0JCWUVGTXZlMDlvbUVJUy9Qb21CQW94ZDFkWXJwdDJNTUI4R0ExVWRJd1FZTUJhQUZNdmUKMDlvbUVJUy9Qb21CQW94ZDFkWXJwdDJNTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFLUDYwOEJwbkdCcXBXMitYL1BmREEyMTVQYlpIMERBc2RlL2RKN1FIanpzbWs2YnpleUhnVmd4CjJPSkFXckNiS2xZUW9MbEJtbjl2RnlwcGE4WFdOc0RGaDhadEM0U2UxSkZ4TjdNdzJtbXpWQ1RINFhwbnl3NngKVVlORlVyNC94YW9yTFdMMGhWRnJjNXhXQXJhQXdlRXFYZ2hVZEFLS3h4NUZtNUJHcTdwbFd4QzJnaVZmcythRQpYQXFjVDVubzM4VmdLMHRaQUVGTUJ4SG9Bd3Vib2Y5ajVDdFpiV212akxUV01tUmdwdjlTdUh4WmZ3bmZUeW9jCnhHSGJHWmtZSFowbm9SSlBlRjc1ZlVvbmdOQnVxdENEaEgyRkR0azJ6NWlJT0hldjJ6UGZBZ1pKYy9lZzd2b0MKb2tzWVFvQ1pxMGM1RU02Q3pCekI5TjJFTmZ4bTNDZz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMXU0OGpzM0lIMFZpUTAwdzB6bkNkZVM1TzBSQ0NFVkxwUjVmNVJLYUI0dDJIZk55CkFzYmRSMmx5bGtqKzhkL05kaVA0MVJwa3hOS1JSaU5vMFdMR3lqZGxaZjNzb1FvNWl1WGFrUnUvdS9QdjdpR3IKYlNmMzhMZVpmdDJHcVFkYXU5cU1iVDBuK2VNc3dacnZhWTYrVUtrMndlQ1UrQXcveWtYUC9zNEc4ZEFqUy9xVQpSWmxTdEh3d3lxWkZ4OWt1UTVuYkNWcDg5dklURHp1YWtOUTM2VFcrOG1tNjBYUU4wblFaVjBOaGM1ZXJmWE9sCithNTJpMFdVbTdoQlFldm9EbGJjL21VU1Z3VkZCQVNHZmlEVE9OY3UvbG5jT3ptZFNYYi9zYUpiZWxmNlpKSlAKMWllYStHQnNJdjM1a0RoT2VnN1pYU2QvME01cW55eWRwaFVUK3dJREFRQUJBb0lCQUZObUFnMlBmL1hTWUh5bworU2NkSkgzR2tMR1VuT0xFc01PVGM3WlpiM2M2QUUxQzU1eDRPZWk1M0FMQXRGeDZjU2xFY0F1UXdFVTNSN09sCmpjaWh3VzA1N1ppVDNUdm4wY2c1eElQRjlySWh4NW5wYXJGaWJ1enk4UmF2TXM5bjBTZFBlR255N3c0aHZuNHAKZG5qSk1NUHZ4UldaNVhRU25MWUtQTmtzYkxsclNhYm1QZi9qT1N6ZkdoQTlDUlhwcnlpOVBuQWxxY0lJSjV4UQpOOTdMVFk1TTRaUnp2aHNiUnlUb1JGa2JJeFBDai8wOWdrWTdWdDlHRnAyaHpCdmNkSmNJaVplRkFVdDVoUnJICllPM01zWVJXK09tZmROYm1jLy92T3hNQnhpbnF0U0ljcVBFYklDdmNRejV2NXNuU20zdXg5S1U2TVZoWldnOFQKVkhXR3VDRUNnWUVBKzl5SmRoZzhCN3A0WFBQdXR6RWZJZ2xNMFZIMGszcHV0ZktTdUl4dHllcXFkWURRcGY0VgpXR0hDK2grM2Vtd0VqWkNFdUZ2eWxKVDNIREpid29IOXJCcUc5RmJkVU1jN2tCRm50U2kyTmw4bmxlQnVWTHlNClJHQXdKaUdjOUFsWGxoZkcxU0M0WlpuTFNzM1Q1aHd6V3BRSEorNnZ5N0oydTk4cVBGcE9GTmtDZ1lFQTJuWloKU21qZUNZVmdyTG5BOGpObVFybXo4eGVkdEJoSjJHZncrdFQwQysxVFM5aXJVUjRYb2w4cFRyZjhDNXArY1M0cgo2d1dCeEFSajlFRzc2VXo3UytJZmwzbUo5bTJOYTdMRGhJTUF3YTlDWVZ4VXJ0VWVSS2NnQ3NSWERmaHBlcWtICmh3MlVQZHNnRDg4dTVVODl2SnUrQ21QekNYQ1B3RGpIQXEzYld2TUNnWUVBcWIxUHh3OCtKZGMrRnljdTByZUEKUytnSXBXbWVjMllvQnVlY2lsUGFDaUxsRHB2cUFuVGkzZFhGR2QwV1FxTlp6aTUvdzkvejlMOFFheWhsUHdscwpkUGpMeXhCZngzaitZM0hYZXZnZEZUZTc3ZjU3WFJCVldCK2JVNWVEdDlReit5dTdEUmdvTGhFZ09TSE9sVjZjCkhZZDE2eXVwdnBaZi91M0FBVHk3TXNFQ2dZQnNTaG44dm5yQnNYRzRiT050cTNqWFBvSXF6OXdHZDd1ekgrTGUKRTAxZDFDaGtBbVQ1Y3JjNGIzOWtXK0wrUlhqRDFhVkRmSmxVZHZDdEZTQjJod2hTRnlhZHlVdFA4Z0lXRHFqSQpPTC9aUW16ZklndUFGbmhJZzZkb2J1YlFNQURwSW54dXY1WnFDd0tiazVHbGJXQW02L1NKNWYyRkFsemZaY1dRCldHblJiUUtCZ1FEYWRuekZ0WUlvQ285aGhPdkl4RFhKeG1aMnU3NlJwUUJ5cXlYb3NzN2JUY1NqVHdPTGFMS2QKUjNWSm5kNWNiUTRhVEQxYzNPU0RFbXU0U1pjZUgxcUJFdjQ3MTZGL0RaZ2gxNnBYWnV1K0x0YUVBbWRJVkJjZApuOUxDcnM1Y3JQTVZyUm5zam5ydUpWc1NyWGJXNWdBK3F3MURoRjArWEhrK09EMXJQUXZhbGc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
creationTimestamp: "2024-04-16T09:33:30Z"
name: nginx-ssl
namespace: default
resourceVersion: "226423"
uid: 7f79533a-db1a-49cd-9108-a3d4bf933672
type: kubernetes.io/tls
docker-registry类型secret
Docker Registry类型,也是独特类型:
kubectl create secret docker-registry my-secret
--docker-server=DOCKER_REGISTRY_SERVER
--docker-username=DOCKER_USER
--docker-password=DOCKER_PASSWORD
--docker-email=DOCKER_EMAIL
如果曾经访问过docker-registry,那么也能够从docker的认证文件中加载信息,这时使用--from-file选项:
# 通常认证信息保存在用户家目录下的.docker/config.json或着.dockercfg文件中
kubectl create secret docker-registry my-secret --from-file=~/.docker/config.json
# 或者
kubectl create secret docker-registry my-secret --from-file=$HOME/.dockercfg
docker-registry的使用方法
docker-registry通常是配置在容器拉取镜像时使用
root@k8s-master01:~# kubectl explain pod.spec.imagePullSecrets
KIND: Pod
VERSION: v1
RESOURCE: imagePullSecrets <[]Object>
DESCRIPTION:
ImagePullSecrets is an optional list of references to secrets in the same
namespace to use for pulling any of the images used by this PodSpec. If
specified, these secrets will be passed to individual puller
implementations for them to use. For example, in the case of docker, only
DockerConfig type secrets are honored. More info:
https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
LocalObjectReference contains enough information to let you locate the
referenced object inside the same namespace.
FIELDS:
name <string>
Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Secret资源,使用环境变量
containers:
- name: …
image: …
env:
- name: <string> # 变量名,其值来自于某Secret对象上的指定键的值;
valueFrom: # 键值引用;
secretKeyRef:
name: <string> # 引用的Secret对象的名称,需要与该Pod位于同一名称空间;
key: <string> # 引用的Secret对象上的键,其值将传递给环境变量;
optional: <boolean> # 是否为可选引用;
envFrom: # 整体引用指定的Secret对象的全部键名和键值;
- prefix: <string> # 将所有键名引用为环境变量时统一添加的前缀;
secretRef:
name: <string> # 引用的Secret对象名称;
optional: <boolean> # 是否为可选引用;
Secret资源使用示例
mysql加载root口令
-
创建MySQL资源清单,使用已创建的mysql-root-authn
root@k8s-master01:~/yaml/chapter06# vim secrets-env-demo.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-env-demo
namespace: default
spec:
containers:
- name: mariadb
image: mariadb
imagePullPolicy: IfNotPresent
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-root-authn
key: password
-
应用资源清单
root@k8s-master01:~/yaml/chapter06# kubectl apply -f secrets-env-demo.yaml
pod/secret-env-demo created
root@k8s-master01:~/yaml/chapter06# kubectl get pods secret-env-demo
NAME READY STATUS RESTARTS AGE
secret-env-demo 1/1 Running 0 1m
-
验证
root@k8s-master01:~/yaml/chapter06# kubectl exec secret-env-demo -- mysql -uroot -pdarius.com -e "show databases;"
Database
information_schema
mysql
performance_schema
sys
https虚拟主机示例
-
编写 pod资源清单
root@k8s-master01:~/yaml/chapter06# vim secrets-volume-demo.yaml
apiVersion: v1
kind: Pod
metadata:
name: secrets-volume-demo
namespace: default
spec:
containers:
- name: ngxserver
image: nginx:alpine
volumeMounts:
- name: nginxcerts
mountPath: /etc/nginx/certs/
readOnly: true
- name: nginxconfs
mountPath: /etc/nginx/conf.d/
readOnly: true
volumes:
- name: nginxcerts
secret:
secretName: nginx-ssl
- name: nginxconfs
configMap:
name: nginx-sslvhosts-confs
optional: false
-
创建 secret
root@k8s-master01:~/yaml/chapter06/certs2.d# (umask 077;openssl genrsa -out nginx.key 2048)
root@k8s-master01:~/yaml/chapter06/certs2.d# openssl req -new -x509 -key nginx.key -out nginx.crt -subj /C=CN/ST=Shanghai/L=Shanghai/O=DevOps/CN=www.darius.com
root@k8s-master01:~/yaml/chapter06/certs2.d# ls
nginx.crt nginx.key
# 创建tls类型secret
root@k8s-master01:~/yaml/chapter06/certs2.d# kubectl create secret tls nginx-ssl --key=nginx.key --cert=nginx.crt
secret/nginx-ssl created
# 查看secret信息
root@k8s-master01:~/yaml/chapter06/certs2.d# kubectl get secret nginx-ssl -o yaml
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURvekNDQW91Z0F3SUJBZ0lVQXd5WFovc3hKRGlVemxBdi9WSFR0ZVNXaXY0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lURUxNQWtHQTFVRUJoTUNRMDR4RVRBUEJnTlZCQWdNQ0ZOb1lXNW5hR0ZwTVJFd0R3WURWUVFIREFoVAphR0Z1WjJoaGFURVBNQTBHQTFVRUNnd0dSR1YyVDNCek1Sc3dHUVlEVlFRRERCSjNkM2N1Ylhsc2FXNTFlRzl3CmN5NWpiMjB3SGhjTk1qRXdOekUyTURrek1UTTJXaGNOTWpFd09ERTFNRGt6TVRNMldqQmhNUXN3Q1FZRFZRUUcKRXdKRFRqRVJNQThHQTFVRUNBd0lVMmhoYm1kb1lXa3hFVEFQQmdOVkJBY01DRk5vWVc1bmFHRnBNUTh3RFFZRApWUVFLREFaRVpYWlBjSE14R3pBWkJnTlZCQU1NRW5kM2R5NXRlV3hwYm5WNGIzQnpMbU52YlRDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU5idVBJN055QjlGWWtOTk1OTTV3blhrdVR0RVFnaEYKUzZVZVgrVVNtZ2VMZGgzemNnTEczVWRwY3BaSS92SGZ6WFlqK05VYVpNVFNrVVlqYU5GaXhzbzNaV1g5N0tFSwpPWXJsMnBFYnY3dno3KzRocTIwbjkvQzNtWDdkaHFrSFdydmFqRzA5Si9uakxNR2E3Mm1PdmxDcE5zSGdsUGdNClA4cEZ6LzdPQnZIUUkwdjZsRVdaVXJSOE1NcW1SY2ZaTGtPWjJ3bGFmUGJ5RXc4N21wRFVOK2sxdnZKcHV0RjAKRGRKMEdWZERZWE9YcTMxenBmbXVkb3RGbEp1NFFVSHI2QTVXM1A1bEVsY0ZSUVFFaG40ZzB6alhMdjVaM0RzNQpuVWwyLzdHaVczcFgrbVNTVDlZbm12aGdiQ0w5K1pBNFRub08yVjBuZjlET2FwOHNuYVlWRS9zQ0F3RUFBYU5UCk1GRXdIUVlEVlIwT0JCWUVGTXZlMDlvbUVJUy9Qb21CQW94ZDFkWXJwdDJNTUI4R0ExVWRJd1FZTUJhQUZNdmUKMDlvbUVJUy9Qb21CQW94ZDFkWXJwdDJNTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFLUDYwOEJwbkdCcXBXMitYL1BmREEyMTVQYlpIMERBc2RlL2RKN1FIanpzbWs2YnpleUhnVmd4CjJPSkFXckNiS2xZUW9MbEJtbjl2RnlwcGE4WFdOc0RGaDhadEM0U2UxSkZ4TjdNdzJtbXpWQ1RINFhwbnl3NngKVVlORlVyNC94YW9yTFdMMGhWRnJjNXhXQXJhQXdlRXFYZ2hVZEFLS3h4NUZtNUJHcTdwbFd4QzJnaVZmcythRQpYQXFjVDVubzM4VmdLMHRaQUVGTUJ4SG9Bd3Vib2Y5ajVDdFpiV212akxUV01tUmdwdjlTdUh4WmZ3bmZUeW9jCnhHSGJHWmtZSFowbm9SSlBlRjc1ZlVvbmdOQnVxdENEaEgyRkR0azJ6NWlJT0hldjJ6UGZBZ1pKYy9lZzd2b0MKb2tzWVFvQ1pxMGM1RU02Q3pCekI5TjJFTmZ4bTNDZz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMXU0OGpzM0lIMFZpUTAwdzB6bkNkZVM1TzBSQ0NFVkxwUjVmNVJLYUI0dDJIZk55CkFzYmRSMmx5bGtqKzhkL05kaVA0MVJwa3hOS1JSaU5vMFdMR3lqZGxaZjNzb1FvNWl1WGFrUnUvdS9QdjdpR3IKYlNmMzhMZVpmdDJHcVFkYXU5cU1iVDBuK2VNc3dacnZhWTYrVUtrMndlQ1UrQXcveWtYUC9zNEc4ZEFqUy9xVQpSWmxTdEh3d3lxWkZ4OWt1UTVuYkNWcDg5dklURHp1YWtOUTM2VFcrOG1tNjBYUU4wblFaVjBOaGM1ZXJmWE9sCithNTJpMFdVbTdoQlFldm9EbGJjL21VU1Z3VkZCQVNHZmlEVE9OY3UvbG5jT3ptZFNYYi9zYUpiZWxmNlpKSlAKMWllYStHQnNJdjM1a0RoT2VnN1pYU2QvME01cW55eWRwaFVUK3dJREFRQUJBb0lCQUZObUFnMlBmL1hTWUh5bworU2NkSkgzR2tMR1VuT0xFc01PVGM3WlpiM2M2QUUxQzU1eDRPZWk1M0FMQXRGeDZjU2xFY0F1UXdFVTNSN09sCmpjaWh3VzA1N1ppVDNUdm4wY2c1eElQRjlySWh4NW5wYXJGaWJ1enk4UmF2TXM5bjBTZFBlR255N3c0aHZuNHAKZG5qSk1NUHZ4UldaNVhRU25MWUtQTmtzYkxsclNhYm1QZi9qT1N6ZkdoQTlDUlhwcnlpOVBuQWxxY0lJSjV4UQpOOTdMVFk1TTRaUnp2aHNiUnlUb1JGa2JJeFBDai8wOWdrWTdWdDlHRnAyaHpCdmNkSmNJaVplRkFVdDVoUnJICllPM01zWVJXK09tZmROYm1jLy92T3hNQnhpbnF0U0ljcVBFYklDdmNRejV2NXNuU20zdXg5S1U2TVZoWldnOFQKVkhXR3VDRUNnWUVBKzl5SmRoZzhCN3A0WFBQdXR6RWZJZ2xNMFZIMGszcHV0ZktTdUl4dHllcXFkWURRcGY0VgpXR0hDK2grM2Vtd0VqWkNFdUZ2eWxKVDNIREpid29IOXJCcUc5RmJkVU1jN2tCRm50U2kyTmw4bmxlQnVWTHlNClJHQXdKaUdjOUFsWGxoZkcxU0M0WlpuTFNzM1Q1aHd6V3BRSEorNnZ5N0oydTk4cVBGcE9GTmtDZ1lFQTJuWloKU21qZUNZVmdyTG5BOGpObVFybXo4eGVkdEJoSjJHZncrdFQwQysxVFM5aXJVUjRYb2w4cFRyZjhDNXArY1M0cgo2d1dCeEFSajlFRzc2VXo3UytJZmwzbUo5bTJOYTdMRGhJTUF3YTlDWVZ4VXJ0VWVSS2NnQ3NSWERmaHBlcWtICmh3MlVQZHNnRDg4dTVVODl2SnUrQ21QekNYQ1B3RGpIQXEzYld2TUNnWUVBcWIxUHh3OCtKZGMrRnljdTByZUEKUytnSXBXbWVjMllvQnVlY2lsUGFDaUxsRHB2cUFuVGkzZFhGR2QwV1FxTlp6aTUvdzkvejlMOFFheWhsUHdscwpkUGpMeXhCZngzaitZM0hYZXZnZEZUZTc3ZjU3WFJCVldCK2JVNWVEdDlReit5dTdEUmdvTGhFZ09TSE9sVjZjCkhZZDE2eXVwdnBaZi91M0FBVHk3TXNFQ2dZQnNTaG44dm5yQnNYRzRiT050cTNqWFBvSXF6OXdHZDd1ekgrTGUKRTAxZDFDaGtBbVQ1Y3JjNGIzOWtXK0wrUlhqRDFhVkRmSmxVZHZDdEZTQjJod2hTRnlhZHlVdFA4Z0lXRHFqSQpPTC9aUW16ZklndUFGbmhJZzZkb2J1YlFNQURwSW54dXY1WnFDd0tiazVHbGJXQW02L1NKNWYyRkFsemZaY1dRCldHblJiUUtCZ1FEYWRuekZ0WUlvQ285aGhPdkl4RFhKeG1aMnU3NlJwUUJ5cXlYb3NzN2JUY1NqVHdPTGFMS2QKUjNWSm5kNWNiUTRhVEQxYzNPU0RFbXU0U1pjZUgxcUJFdjQ3MTZGL0RaZ2gxNnBYWnV1K0x0YUVBbWRJVkJjZApuOUxDcnM1Y3JQTVZyUm5zam5ydUpWc1NyWGJXNWdBK3F3MURoRjArWEhrK09EMXJQUXZhbGc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
creationTimestamp: "2024-04-16T09:33:30Z"
name: nginx-ssl
namespace: default
resourceVersion: "226423"
uid: 7f79533a-db1a-49cd-9108-a3d4bf933672
type: kubernetes.io/tls
-
创建 configMap资源
# nginx配置文件已经准备好,此处创建configMap资源
root@k8s-master01:~/yaml/chapter06/nginx-ssl-conf.d# ls
myserver.conf myserver-gzip.cfg myserver-status.cfg
# 指定当前路径下的所有文件创建出configmap
root@k8s-master01:~/yaml/chapter06/nginx-ssl-conf.d# kubectl create configmap nginx-sslvhosts-confs --from-file=./
configmap/nginx-sslvhosts-confs created
# 查看configmap相关信息
root@k8s-master01:~/yaml/chapter06/nginx-ssl-conf.d# kubectl describe configmap nginx-sslvhosts-confs
Name: nginx-sslvhosts-confs
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
myserver-gzip.cfg:
----
gzip on;
gzip_comp_level 5;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css application/xml text/javascript;
myserver-status.cfg:
----
location /nginx-status {
stub_status on;
access_log off;
}
myserver.conf:
----
server {
listen 443 ssl;
server_name www.darius.com;
ssl_certificate /etc/nginx/certs/tls.crt;
ssl_certificate_key /etc/nginx/certs/tls.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
include /etc/nginx/conf.d/myserver-*.cfg;
location / {
root /usr/share/nginx/html;
}
}
server {
listen 80;
server_name www.darius.com;
return 301 https://$host$request_uri;
}
Events: <none>
-
使用配置清单创建出pod
root@k8s-master01:~/yaml/chapter06# kubectl apply -f secrets-volume-demo.yaml
pod/secrets-volume-demo created
root@k8s-master01:~/yaml/chapter06# kubectl get pods secrets-volume-demo -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
secrets-volume-demo 1/1 Running 0 7m18s 10.244.3.18 k8s-node03 <none> <none>
-
验证ssl
# 验证443端口已经监听
root@k8s-master01:~/yaml/chapter06# kubectl exec secrets-volume-demo -- netstat -tnl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
# 使用curl访问,正常打开
root@k8s-master01:~/yaml/chapter06/certs2.d# curl -k -H "Host:www.darius.com" https://10.244.3.18:443
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
原文始发于微信公众号(TechOps之窗):K8S-配置管理之Secret
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
文章由极客之音整理,本文链接:https://www.bmabk.com/index.php/post/289042.html
