---

一、Secret

Secret 是用来保存密码、token、密钥等敏感数据的 k8s 资源，这类数据虽然也可以存放在 Pod 或者镜像中，但是放在 Secret 中是为了更方便的控制如何使用数据，并减少暴露的风险。

1.1 Secret 四种类型

● kubernetes.io/service-account-token：由 Kubernetes 自动创建，用来访问 APIServer 的 Secret，Pod 会默认使用这个 Secret 与 APIServer 通信， 并且会自动挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目录中;
● Opaque ：base64 编码格式的 Secret，用来存储用户自定义的密码、密钥等，默认的 Secret 类型;
● kubernetes.io/dockerconfigjson ：用来存储私有 docker registry 的认证信息。
● kubernetes.io/tls ：用来存储 TLS 证书和私钥信息。

1.2 Secret 使用条件

Pod 需要先引用才能使用某个 secret，Pod 有 3 种方式来使用 secret：
● 作为挂载到一个或多个容器上的卷 中的文件。
● 作为容器的环境变量。
● 由 kubelet 在为 Pod 拉取镜像时使用。

应用场景：凭据
https://kubernetes.io/docs/concepts/configuration/secret/

二、Secret 使用方式

2.1 基于Opaque创建 Secret

kubectl create secret generic -h 
#用kubectl create secret命令创建Secret
echo -n 'zhangsan' > username.txt
echo -n 'abc1234' > password.txt

kubectl create secret generic mysecret --from-file=username.txt --from-file=password.txt

kubectl get secrets

kubectl describe secret mysecret
#get或describe指令都不会展示secret的实际内容，这是出于对数据的保护的考虑

2.2 内容用 base64 编码，创建Secret

echo -n zhangsan | base64
emhhbmdzYW4=
echo -n abc1234 | base64
YWJjMTIzNA==

vim secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: mysecret1
type: Opaque
data:
  username: emhhbmdzYW4=
  password: YWJjMTIzNA==

kubectl create -f secret.yaml 
kubectl get secrets
kubectl get secret mysecret1 -o yaml

2.3 将 Secret 挂载到 Volume 中，以 Volume 的形式挂载到 Pod 的某个目录下

//master01节点
//创建一个自主式Pod
cd /opt/secret
kubectl run myapp --image=soscscs/myapp:v1 --port=80 --dry-run=client -oyaml > myapp.yaml
cp myapp.yaml myapp-demo1.yaml
vim myapp-demo1.yaml

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: myapp-demo1
  name: myapp-demo1
spec:
  volumes:
  - name: vol-harbor
    secret:
      secretName: mysecret1   
  containers:
  - image: soscscs/myapp:v1
    name: myapp-demo1
    ports:
    - containerPort: 80
    volumeMounts:
    - name: vol-harbor
      mountPath: /opt/secret
      readOnly: true

kubectl apply -f myapp-demo1.yaml
kubectl get pods -owide
kubectl exec -it myapp-demo1 sh

2.4 将 Secret 导出到环境变量中

//再用 base64 编码，创建一个Secret mysecret2.yaml
vim mysecret-demo2.yaml
apiVersion: v1
kind: Pod
metadata:
  labels:
    run: myapp-demo2
  name: myapp-demo2
spec:
  containers:
  - image: soscscs/myapp:v1
    name: myapp-demo2
    ports:
    - containerPort: 80
    env:
    - name: mysecret1_USER
      valueFrom:
        secretKeyRef:
          name: mysecret1
          key: username
    - name: mysecret2_PASSWORD
      valueFrom:
        secretKeyRef:
          name: mysecret2
          key: password
    envFrom:
    - secretRef:
        name: mysecret1

2.5 使用secret配置免密交互拉取habor私有仓库镜像

使用secret配置免密交互拉取habor私有仓库镜像 , 在搭建好docker的私有仓库后，在使用私有仓库时需要通过docker login指令来登录到私有仓库中。但同时在使用的过程中也会把habor仓库的用户名和密码暴露在命令行中，存在一定的安全隐患。k8s中的secret配置的运用能够实现并且规避这一问题的存在

//另外准备两台安装docker引擎和docker-compose的服务器
//部署 docker引擎 
yum install -y yum-utils device-mapper-persistent-data lvm2 
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo 

wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo

yum install -y docker-ce docker-ce-cli containerd.io

cd /etc/docker/
cat  > /etc/docker/daemon.json <<EOF
{
  "registry-mirrors": ["https://6iuzoxz4.mirror.aliyuncs.com",
                "https://dockerhub.icu",
                "https://docker.chenby.cn",
                "https://docker.1panel.live",
                "https://docker.awsl9527.cn",
                "https://docker.anyhub.us.kg",
                "https://dhub.kubesre.xyz"],
  "exec-opts": ["native.cgroupdriver=systemd"],
  "log-driver": "json-file",
  "log-opts": {
      "max-size": "500m","max-file": "3"
   }
}
EOF

systemctl start docker.service
systemctl enable docker.service 

上传docker-compose
mv docker-compose /usr/local/bin/
chmod +x !$/docker-compose
docker-compose -version

//在其中一台装docker引擎和docker-compose的服务器安装harbor
//上传harbor-offline-installer-v1.10.18.tgz 
//下载运行registry镜像 
docker pull registry
vim /etc/docker/daemon.json
......
"insecure-registries": ["http://192.168.154.13"],
......

cd /opt
tar xf harbor-offline-installer-v1.10.18.tgz
cd harbor/
vim harbor.yml 

//master01节点
kubectl create secret docker-registry myharbor --docker-server=192.168.154.13 --docker-username=admin --docker-password=Harbor12345 --docker-email=admin@harbor.com

docker-registry   —— secret资源类型
myharbor          —— secret资源名称
--docker-server=192.168.154.13   —— 私有仓库IP地址
--docker-username=admin          —— 私有仓库登录账号
--docker-password=Harbor12345    —— 私有仓库登录密码
--docker-email=admin@harbor.com  —— 私有仓库登录邮箱

kubectl get secrets

//harbor服务器加载镜像和启动 Harbor
./prepare
./install.sh 

docker-compose ps

docker pull nginx:1.20

打开浏览器输入账户密码即可登录

新建一个项目

//上传nginx镜像到私有仓库
docker login -u admin -p Harbor12345 http://192.168.154.13
docker images

nginx镜像就推送上去了

从私有仓库拉取镜像

先删除集群所有节点的nginx镜像
docker rmi -f nginx:latest

//master01
cd /opt/secret
vim myapp-demo3.yaml

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: nginx
  name: nginx
spec:
  containers:
  - image: 192.168.154.13/k8s/nginx:1.20
    name: nginx
    ports:
    - containerPort: 80

这时执行pod是报错的

//先在所有node节点上把私有仓库ip加上
vim /etc/docker/daemon.json
"insecure-registries": ["http://192.168.154.13"],
//再保存重启docker服务
systemctl restart docker.service

//master01 
cd /opt/secret
vim myapp-demo3.yaml

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: nginx
  name: nginx
spec:
  containers:
  - image: 192.168.154.13/k8s/nginx:1.20
    name: nginx
    ports:
    - containerPort: 80
  imagePullSecrets:
  - name: myharbor

通过私有仓库拉取镜像成功

日志上也看到拉取镜像了

三、ConfigMap

与Secret类似，区别在于ConfigMap保存的是不需要加密配置的信息。
ConfigMap 功能在 Kubernetes1.2 版本中引入，许多应用程序会从配置文件、命令行参数或环境变量中读取配置信息。ConfigMap API 给我们提供了向容器中注入配置信息的机制，ConfigMap 可以被用来保存单个属性，也可以用来保存整个配置文件或者JSON二进制大对象。
应用场景：应用配置

3.1 使用目录创建

//创建 ConfigMap

mkdir /opt/configmap/
 
vim /opt/configmap/game.config
enemy.types=aliens,monsters
player.maximum-lives=5 
 
vim /opt/configmap/ui.config
color.good=purple
color.bad=yellow
allow.textmode=true

ls /opt/configmap/
game.config
ui.config

kubectl create configmap game-config --from-file=/opt/configmap/
//--from-file 指定在目录下的所有文件都会被用在 ConfigMap 里面创建一个键值对，键的名字就是文件名，值就是文件的内容

kubectl get cm

mkdir /opt/configmap/cm
cd  /opt/configmap/cm
cp -r /etc/passwd /etc/shadow /etc/yum.repos.d/ /etc/yum.conf /etc/fstab /etc/hosts ./
kubectl create cm cm-demo1 --from-file=/opt/configmap/cm
kubectl describe cm cm-demo1

ConfigMap 只加载第一层目录的第一层文件，子目录和其下文件都不会加载出来
而且 ConfigMap 的键值是以明文的方式展示出来，这也是和 secret 的区别之一

3.2 通过键值对创建

使用文字值创建，利用 --from-literal 参数传递配置信息，该参数可以使用多次，格式如下
kubectl create configmap special-config --from-literal=special.how=very --from-literal=special.type=good

kubectl create cm mycm-demo1 --from-literal=class=demo1 --from-literal=name=test
kubectl get cm
kubectl describe cm mycm-demo1

3.3 通过挂载的方式使用

cd /opt/secret/
vim myapp-demo4.yaml

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: myapp-demo4
  name: myapp-demo4
spec:
  volumes:
  - name: vol-cm
    configMap:
      name: cm-demo1
  containers:
  - image: soscscs/myapp:v1
    name: myapp-demo4
    ports:
    - containerPort: 80
    volumeMounts:
    - name: vol-cm
      mountPath: /opt/ConfigMap
      readOnly: true

3.4 通过环境变量的方式使用

cd /opt/secret
cp myapp-demo2.yaml myapp-demo5.yaml
vim myapp-demo5.yaml
apiVersion: v1
kind: Pod
metadata:
  labels:
    run: myapp-demo5
  name: myapp-demo5
spec:
  containers:
  - image: soscscs/myapp:v1
    name: myapp-demo5
    ports:
    - containerPort: 80
    env:
    - name: ConfigMap_USER
      valueFrom:
        configMapKeyRef:
          name: mycm-demo1
          key: name
    - name: MYCLASS
      valueFrom:
        configMapKeyRef:
          name: mycm-demo1
          key: class
    envFrom:
    - configMapRef:
        name: mycm-demo1

3.5 在容器启动时直接引用变量值

vim myapp-demo5.yaml

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: myapp-demo6
  name: myapp-demo6
spec:
  containers:
  - image: busybox:1.28
    name: myapp-demo6
    command:
    - /bin/sh
    - -c
    - echo "${ConfigMap_USER} is in ${MYCLASS}" > /var/env.txt ;sleep 3600
    ports:
    - containerPort: 80
    env:
    - name: ConfigMap_USER
      valueFrom:
        configMapKeyRef:
          name: mycm-demo1
          key: name
    - name: MYCLASS
      valueFrom:
        configMapKeyRef:
          name: mycm-demo1
          key: class
    envFrom:
    - configMapRef:
        name: mycm-demo1

3.6 将现有nginx配置文件替换掉容器里默认nginx配置文件

cd /opt/secret
vim myapp-demo6.yaml
apiVersion: v1
kind: Pod
metadata:
  labels:
    run: cm-demo6
  name: cm-demo6
spec:
  containers:
  - image: soscscs/myapp:v1
    name: cm-demo6
    ports:
    - containerPort: 80
  dnsPolicy: ClusterFirst
  restartPolicy: Always

//准备开始替换
//上传nginx.conf
cd /opt/secret
kubectl create configmap mycm-nginx --from-file=./nginx.conf

vim nginx.conf
#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;
     #gzip  on;

    server {
        listen       80;
        server_name  localhost;

        charset utf-8;

        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.php;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
         #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        location ~ \.php$ {
            root           html;
            fastcgi_pass   172.18.0.30:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  /usr/local/nginx/html$fastcgi_script_name;
            include        fastcgi_params;
        }

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;
    
    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;
    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}

}

错误示例：
vim cm-nginx.yaml
apiVersion: v1
kind: Pod
metadata:
  labels:
    run: cm-demo6
  name: cm-demo6
spec:
  volumes:
  - name: nginx-conf
    configMap:
      name: mycm-nginx
  containers:
  - image: soscscs/myapp:v1
    name: cm-demo6
    ports:
    - containerPort: 80
    volumeMounts:
    - name: nginx-conf
      mountPath: /etc/nginx/nginx.conf
      readOnly: true

vim cm-nginx.yaml
apiVersion: v1
kind: Pod
metadata:
  labels:
    run: cm-demo6
  name: cm-demo6
spec:
  volumes:
  - name: nginx-conf
    configMap:
      name: mycm-nginx
  containers:
  - image: soscscs/myapp:v1
    name: cm-demo6
    ports:
    - containerPort: 80
    volumeMounts:
    - name: nginx-conf
      mountPath: /etc/nginx/nginx.conf
      subPath: nginx.conf
      readOnly: true

3.7 ConfigMap 热更新

想修改 nginx.conf 里的某个参数值，不要在容器里的 nginx.conf 里修改，不然需要重启服务，容器也会宕掉。

• 只支持以目录的方式挂载的cm卷进行热更新
• 不支持以文件的方式挂载的cm卷进行热更新

//以目录的方式更新
cd /opt/secret
cp nginx.conf nginx2.conf
vim nginx2.conf

 server {
        location / {
          root /var/www/html;
          index index.html;
        }

        location ~ \.php$ {
            root           html;
            fastcgi_pass   172.18.0.30:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  /usr/local/nginx/html$fastcgi_script_name;
            include        fastcgi_params;
        }
}

kubectl create cm mycm-nginx2 --from-file=./nginx2.conf

vim cm-demo.yaml
apiVersion: v1
kind: Pod
metadata:
  labels:
    run: cm-demo
  name: cm-demo
spec:
  volumes:
  - name: nginx-conf
    configMap:
      name: mycm-nginx2
  containers:
  - image: soscscs/myapp:v1
    name: cm-demo
    ports:
    - containerPort: 80
    volumeMounts:
    - name: nginx-conf
      mountPath: /etc/nginx/conf.d
      readOnly: true

 kubectl apply -f cm-demo.yaml
 kubectl exec -it cm-demo sh

3.8 ConfigMap 动态更新

kubectl edit cm mycm-nginx2

3.9 滚动更新

陈述式管理资源配置的方式 修改或添加 资源对象的配置

kubectl patch 资源类型 资源名 --patch '{"第一层字段": {"第一层字段": ...}}'

kubectl create deployment myapp-deploy --image=soscscs/myapp:v1 --port=80 --replicas=2

//修改副本集并使用打补丁的方式修改
kubectl edit deployments.apps myapp-deploy
kubectl patch deployments.apps myapp-deploy --patch '{"spec":{"replicas":4}}'

//打补丁的方式添加字段
kubectl patch deployments.apps myapp-deploy --patch '{"spec":{"template":{"metadata":{"annotations":{"version/config":"2024v1"}}}}}'

//打补丁的方式修改镜像
kubectl patch deployments.apps myapp-deploy --patch '{"spec":{"template":{"spec":{"containers":[{"name":"myapp","image":"soscscs/myapp:v3"}]}}}}'