Secret配置 电脑版发表于:2020/4/23 12:03 ![Kubernetes](https://img.tnblog.net/arcimg/hb/4027cd04790f47abbb576c3daffe67f4.png "Kubernetes") >#Secret配置 [TOC] <br/> Secret 介绍 ------------ <br/> >Secret解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod Spec中。Secret可以以Volume或者环境变量的方式使用。 <br/> Secret的三种类型 ------------ <br/> >- Service Account:用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的 **`/run/secrets/kubernetes.io/serviceaccount`** 目录中; - Opaque:base64编码格式的Secret,用来存储密码、密钥等; - **`kubernetes.io/dockerconfigjson`**:用来存储私有docker registry的认证信息。 <br/> Secret存储mysql密码 ------------ <br/> >###mysql.yaml ```yaml apiVersion: v1 kind: Secret metadata: name: netcore namespace: netcore type: Opaque data: mysql_root_password: cGFzc3vcmQ= --- apiVersion: v1 kind: Service metadata: name: mysql namespace: netcore spec: type: NodePort ports: - port: 3306 selector: app: mysql --- apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2 kind: Deployment metadata: name: mysql namespace: netcore spec: selector: matchLabels: app: mysql strategy: type: Recreate template: metadata: labels: app: mysql spec: containers: - image: mysql:5.6 name: mysql env: # Use secret in real usage - name: MYSQL_ROOT_PASSWORD valueFrom: secretKeyRef: name: netcore key: mysql_root_password ports: - containerPort: 3306 name: mysql volumeMounts: - name: mysql-persistent-storage mountPath: /var/lib/mysql volumes: - name: mysql-persistent-storage hostPath: path: /var/lib/mysql ``` >###部署 ![部署](https://img.tnblog.net/arcimg/hb/b513ae60dc764c7e9da4cfdfaf9396b1.png "部署") >###在Dashboard中查看Secret (注意)由于我这里是base64编码的,所以这里会现出原形 ![查看Secret](https://img.tnblog.net/arcimg/hb/d5278e957c57400091d65d91bd2bc6a8.png "查看Secret") <br/> 创建腾讯云私有镜像 ------------ <br/> >###创建命名空间 ![创建命名空间](https://img.tnblog.net/arcimg/hb/ce9b369c8ff6491a9a966fb2c315e585.png "创建命名空间") >###创建我的镜像 ![我的镜像](https://img.tnblog.net/arcimg/hb/aa4a9737f5034df993891501fcecc64e.png "我的镜像") >###查看使用指南 ![使用指南](https://img.tnblog.net/arcimg/hb/7aff4d0ca3f74982a117514dc1549f00.png "使用指南") >###docker登录到腾讯云 ![docker登录到腾讯云](https://img.tnblog.net/arcimg/hb/2974180ac25742308d20b246a6363250.png "docker登录到腾讯云") >###docker创建镜像并上传到腾讯云 (注意)这里我为了与项目同名重新创建了一个镜像【**name-api**】 ![](https://img.tnblog.net/arcimg/hb/16197e4fb6e147e98ac8bccae0b6ef91.png) >###查看镜像 ![查看镜像](https://img.tnblog.net/arcimg/hb/dcfe4b1c9c9b48c39ccf4db68bf01e7a.png "查看镜像") <br/> 通过imagePullSecrets拉取指定仓库地址(腾讯云做演示) ------------ <br/> >###通过kubectl命令来创建用于docker registry认证的secret ```bash kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL -n netcore ``` >然后我这边执行执行进行创建 >这边一定要加 -n netcore (我这儿没加) ![](https://img.tnblog.net/arcimg/hb/3f29342a17814e20a8e64d06a6482414.png) >最后通过修改deploy.yaml再次发布name-api >deploy.yaml ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: name-api namespace: netcore labels: name: name-api spec: replicas: 3 selector: matchLabels: name: name-api template: metadata: labels: name: name-api spec: containers: - name: name-api env: - name: HOSTNAME_COMMAND valueFrom: fieldRef: fieldPath: metadata.name image: ccr.ccs.tencentyun.com/hbtest/name-api:v2 ports: - containerPort: 80 imagePullPolicy: Always imagePullSecrets: - name: tenxunyunregistrykey --- kind: Service apiVersion: v1 metadata: name: name-api namespace: netcore spec: type: NodePort ports: - port: 80 targetPort: 80 selector: name: name-api ``` >再次发布并查看Secret ![](https://img.tnblog.net/arcimg/hb/48693ff73ebc4a1993279b666730abc8.png) >查看其中的一个Name-api的pod ```bash kubectl get pod/name-api-xxx -n netcore -o yaml ``` ![](https://img.tnblog.net/arcimg/hb/5d9baa3976cd4f5cb6ceabe3a61bf9f4.png)