Secret配置 电脑版发表于:2020/4/23 12:03  >#Secret配置 [TOC] <br/> Secret 介绍 ------------ <br/> >Secret解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod Spec中。Secret可以以Volume或者环境变量的方式使用。 <br/> Secret的三种类型 ------------ <br/> >- Service Account:用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的 **`/run/secrets/kubernetes.io/serviceaccount`** 目录中; - Opaque:base64编码格式的Secret,用来存储密码、密钥等; - **`kubernetes.io/dockerconfigjson`**:用来存储私有docker registry的认证信息。 <br/> Secret存储mysql密码 ------------ <br/> >###mysql.yaml ```yaml apiVersion: v1 kind: Secret metadata: name: netcore namespace: netcore type: Opaque data: mysql_root_password: cGFzc3vcmQ= --- apiVersion: v1 kind: Service metadata: name: mysql namespace: netcore spec: type: NodePort ports: - port: 3306 selector: app: mysql --- apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2 kind: Deployment metadata: name: mysql namespace: netcore spec: selector: matchLabels: app: mysql strategy: type: Recreate template: metadata: labels: app: mysql spec: containers: - image: mysql:5.6 name: mysql env: # Use secret in real usage - name: MYSQL_ROOT_PASSWORD valueFrom: secretKeyRef: name: netcore key: mysql_root_password ports: - containerPort: 3306 name: mysql volumeMounts: - name: mysql-persistent-storage mountPath: /var/lib/mysql volumes: - name: mysql-persistent-storage hostPath: path: /var/lib/mysql ``` >###部署  >###在Dashboard中查看Secret (注意)由于我这里是base64编码的,所以这里会现出原形  <br/> 创建腾讯云私有镜像 ------------ <br/> >###创建命名空间  >###创建我的镜像  >###查看使用指南  >###docker登录到腾讯云  >###docker创建镜像并上传到腾讯云 (注意)这里我为了与项目同名重新创建了一个镜像【**name-api**】  >###查看镜像  <br/> 通过imagePullSecrets拉取指定仓库地址(腾讯云做演示) ------------ <br/> >###通过kubectl命令来创建用于docker registry认证的secret ```bash kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL -n netcore ``` >然后我这边执行执行进行创建 >这边一定要加 -n netcore (我这儿没加)  >最后通过修改deploy.yaml再次发布name-api >deploy.yaml ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: name-api namespace: netcore labels: name: name-api spec: replicas: 3 selector: matchLabels: name: name-api template: metadata: labels: name: name-api spec: containers: - name: name-api env: - name: HOSTNAME_COMMAND valueFrom: fieldRef: fieldPath: metadata.name image: ccr.ccs.tencentyun.com/hbtest/name-api:v2 ports: - containerPort: 80 imagePullPolicy: Always imagePullSecrets: - name: tenxunyunregistrykey --- kind: Service apiVersion: v1 metadata: name: name-api namespace: netcore spec: type: NodePort ports: - port: 80 targetPort: 80 selector: name: name-api ``` >再次发布并查看Secret  >查看其中的一个Name-api的pod ```bash kubectl get pod/name-api-xxx -n netcore -o yaml ``` 
