One ,ConfigMap brief introduction

ConfigMap Function in Kubernetes1.2 The version introduces , Many applications will start from the configuration file 、 Read configuration information from command line parameters or environment variables .ConfigMap API Provides us with a mechanism to inject configuration information into the container ,ConfigMap Can be used to hold a single property , It can also be used to save the entire configuration file or JSON Binary big object .

Put the configuration information into configmap In the object , And then in pod Object of the configmap object , Implement the operation of importing configuration .

ConigMap It's a kind of API object , Used to save non confidential data to key value pairs . When used, it can be used as an environment variable 、 Command line parameters or configuration files in the storage volume .

ConfigMap Decouple the environment configuration information from the container image , It is convenient to modify the application configuration . It can be used when you need to store confidential information Secret object .

remarks : ConfigMap It does not provide confidentiality or encryption . If the data you want to store is confidential , Please use Secret; Or use other third-party tools to ensure the privacy of data , Rather than using ConfigMap.

Two , Application in the project

1. establish ConfigMap List of resources

apiVersion: v1			#  edition , adopt  kubectl explain cm  You can see 
kind: ConfigMap
metadata:
  name: special-config	# ConfigMap  Name 
  namespace: default	#  The name space 
data:					# key: value  structure , The configuration data 
  special.how: very
  special.type: charm


kubectl apply -f comfigmap.yaml

2. Use the directory to create

establish  /root/k8s/yaml/configmap/game.properties  file ：

enemies=aliens
lives=3
enemies.cheat=true
enemies.cheat.level=noGoodRotten
secret.code.passphrase=UUDDLRLRBABAS
secret.code.allowed=true
secret.code.lives=30

establish  /root/k8s/yaml/configmap/ui.properties  file

color.good=purple
color.bad=yellow
allow.textmode=true
how.nice.to.look=fairlyNice

3. establish configmap ,--from-file  Specifies that all files in the directory will be used in ConfigMap Create a key value pair in it , The name of the key is the file name , Value is the content of the file

kubectl create configmap game-config --from-file=../configmap/

4. View the created  configmap（ It can be abbreviated as cm）：

$ kubectl get cm
NAME          DATA   AGE
game-config   2      6m40s

#  View details 
kubectl get cm game-config -o yaml
kubectl describe cm game-config

5. Use the file to create

adopt --from-file Parameters can be created from a single file as long as they are specified as a file ConfigMap

–from-file This parameter can be used multiple times , You can specify the two configuration files in the last instance twice , The effect is the same as specifying the entire directory

kubectl create configmap game-config-2 --fromfile=game.properties

kubectl get configmaps game-config-2 -o yaml

6. Use literals to create

Use text values to create , utilize  --from-literal  Parameters pass configuration information , This parameter can be used multiple times , The format is as follows

kubectl create configmap special-config --from-literal=special.how=very --fromliteral=special.type=charm

kubectl get configmaps special-config -o yaml

7.Pod Use in ConfigMap

Create two ConfigMap（configmap.yaml）

apiVersion: v1
kind: ConfigMap
metadata:
  name: special-config
  namespace: default
data:
  special.how: very
  special.type: charm
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: env-config
  namespace: default
data:
  log_level: INFO

establish pod

apiVersion: v1
kind: Pod
metadata:
  name: dapi-test-pod
spec:
  containers:
  - name: test-container
    image: wangyanglinux/myapp:v1
    command: [ "/bin/sh", "-c", "env" ]			#  Print  env
    env:										#  from  ConfigMap  Select the key to read , Add an alias 
    - name: SPECIAL_LEVEL_KEY					#  Key alias , At this value, it should be  very
      valueFrom:
        configMapKeyRef:
          name: special-config					# ComfigMap  The name of 
          key: special.how						#  The previous sentence specifies  ConfigMap  Key name in 
    - name: SPECIAL_TYPE_KEY					#  Key alias , At this value, it should be  charm
      valueFrom:
        configMapKeyRef:
          name: special-config					# ComfigMap  The name of 
          key: special.type						#  The previous sentence specifies  ConfigMap  Key name in 
    envFrom:									#  Directly from  ConfigMap  Read all configurations in 
    - configMapRef:
        name: env-config						# ComfigMap  The name of 
  restartPolicy: Never

Check the log , You can see ConfigMap The configuration in has been injected into the container

Use ConfigMap Set command line parameters

establish ConfigMap

apiVersion: v1
kind: ConfigMap
metadata:
  name: special-config
  namespace: default
data:
  special.how: very
  special.type: charm

establish pod

apiVersion: v1
kind: Pod
metadata:
  name: dapi-test-pod
spec:
  containers:
  - name: test-container
    image: wangyanglinux/myapp:v1
    command: [ "/bin/sh", "-c", "echo $(SPECIAL_LEVEL_KEY) $(SPECIAL_TYPE_KEY)" ]	# Start can be adjusted Pod When the command 
    env:										#  from  ConfigMap  Select the key to read , Add an alias 
    - name: SPECIAL_LEVEL_KEY					#  Key alias , At this value, it should be  very
      valueFrom:
        configMapKeyRef:
          name: special-config					# ComfigMap  The name of 
          key: special.how						#  The previous sentence specifies  ConfigMap  Key name in 
    - name: SPECIAL_TYPE_KEY					#  Key alias , At this value, it should be  charm
      valueFrom:
        configMapKeyRef:
          name: special-config					# ComfigMap  The name of 
          key: special.type
  restartPolicy: Never

Check the log

kubectl logs dapi-test-pod

very charm

Using the data volume plug-in ConfigMap

adopt  Volume  The way mount ,ConfigMap Medium The key name is file name , The key value is The contents of the document

establish ConfigMap

apiVersion: v1
kind: ConfigMap
metadata:
  name: special-config
  namespace: default
data:
  special.how: very
  special.type: charm

apiVersion: v1
kind: Pod
metadata:
  name: dapi-test-pod
spec:
  containers:
    - name: test-container
      image: wangyanglinux/myapp:v1
      command: ["/bin/sh", "-c", "cat /etc/config/special.how"]    #  Print the contents of the file under the mount directory 
      volumeMounts:                 # volume  mount 
        - name: config-volume       #  Mount the specified  volume
          mountPath: /etc/config    #  Directory to mount ( Container path , Under this directory , The file name is the key name , The content of the file is the key value )
  volumes:
    - name: config-volume           # volume  name 
      configMap:                    #  come from  ConfigMap
        name: special-config        # ConfigMap  name 
  restartPolicy: Never

kubectl logs dapi-test-pod

very

8,ConfigMap Of Hot update

Create a ConfigMap and Deployment：

apiVersion: v1
kind: ConfigMap
metadata:
  name: log-config
  namespace: default
data:
  log_level: INFO
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: my-nginx
spec:
  replicas: 1
  template:
    metadata:
      labels:
        run: my-nginx
    spec:
      containers:
        - name: my-nginx
          image: wangyanglinux/myapp:v1
          ports:
            - containerPort: 80
          volumeMounts:					#  This one doesn't understand the last section 《 Using the data volume plug-in ConfigMap》
            - name: config-volume
              mountPath: /etc/config	#  There will be  log_level  This file , The content is  INFO
      volumes:
        - name: config-volume
          configMap:
            name: log-config

see /etc/config/log_level The content of the document

kubectl exec my-nginx-c484b98b4-sbls9 -it -- cat /etc/config/log_level
INFO

modify ConfigMap

kubectl edit configmap log-config

  Look again /etc/config/log_level The content of the document , You can see ,Pod The configuration in has also been changed

Be careful ： to update ConfigMap after ：
Use this ConfigMap Mounted Env Updates will not be synchronized
Use this ConfigMap Mounted Volume It's going to take a while for the data in （ It is estimated that 10 second ） To synchronize updates

Give Way Pod Scroll to update
ConfigMap After the update , The corresponding file will not be overloaded . for example ,Nginx When it starts , The configuration file will be loaded once （ There are... In the configuration file ConfigMap Related parameters of ）, After loading , No matter how the configuration file changes ,Nginx Will no longer load it . Therefore need ConfigMap After updating, scroll to update Pod.

It can be modified by pod annotations To force a rollover
Here we are .spec.template.metadata.annotations Add version/config , Every time through modification version/config Time to trigger rolling updates

kubectl patch deployment my-nginx --patch \
'{"spec": {"template": {"metadata": {"annotations":{"version/config": "20211110" }}}}}'

3、 ... and . Secret

Secret Solved the password 、token、 Key and other sensitive data configuration problems , Instead of exposing these sensitive data to mirrors or Pod Spec in .Secret We can use Volume Or environment variables

Users can create secret, At the same time, the system also creates some secret.

Secret There are three types ：

• Service Account： To access Kubernetes API, from Kubernetes Automatically create , And will automatically mount to Pod Of /run/secrets/kubernetes.io/serviceaccount Directory
• Opaque：base64 coded Secret, Used to store passwords 、 Key, etc . The encryption level is not high
• kubernetes.io/dockerconfigjson： Used to store private docker registry Authentication information

To use secret,pod Need to quote secret.Pod You can use... In two ways secret：

As volume Files in are mounted to pod In one or more containers in ,
When kubelet by pod Use when pulling the mirror image .

1. Service Account（ Not commonly used ）

Service Account To access Kubernetes API, from Kubernetes Automatically create , And will automatically mount to Pod Of /run/secrets/kubernetes.io/serviceaccount Directory

# 1.  Find anyone who needs to visit  Kubernetes API  Of  Pod
$ kubectl get pod -n kube-system
NAME                                   READY   STATUS    RESTARTS   AGE
kube-proxy-2pqkk                       1/1     Running   6          40d

# 2.  View the  Pod  in  /run/secrets/kubernetes.io/serviceaccount  A file in a directory 
$ kubectl exec kube-proxy-2pqkk -n kube-system -it -- ls /run/secrets/kubernetes.io/serviceaccount
ca.crt： visit  API Service  Certificate of 
namespace： The name space 
token： Authenticated key information 

2. Opaque Secret

Opaque Type data is a map type , requirement  value yes base64  Coding format ：

（1） establish Opaque Secret

Give the user name and password base64 encryption

$ echo -n admin | base64
YWRtaW4=
$ echo -n 123 | base64
MTIz

base64 code

$ echo -n YWRtaW4= | base64 -d
admin 

Use the encrypted user name and password to create Secret

apiVersion: v1			# kubectl explain secret  see 
kind: Secret
metadata:
  name: mysecret		# Secret  name 
type: Opaque			# Secret  The type of 
data:
  password: MTIz		#  password 
  username: YWRtaW4=	#  user name 

see Secret
default-token-xxxxx：k8s By default, one will be created under each namespace , be used for Pod Mount of

$ kubectl get secret
NAME                  TYPE                                  DATA   AGE
default-token-fm46c   kubernetes.io/service-account-token   3      40d
mysecret              Opaque                                2      12s

（2） take Secret Mount to Volume in

establish Pod

apiVersion: v1
kind: Pod
metadata:
  labels:
    name: secret-test
  name: secret-test
spec:
  volumes:			#  Create a volume 
    - name: secrets		#  Volume name 
      secret:			#  The scheme used by the volume 
        secretName: mysecret	#  From... Created in the previous section  mysecret
  containers:
    - image: wangyanglinux/myapp:v1
      name: db
      volumeMounts:		#  Volume mount 
        - name: secrets		#  The mount is the one stated above  secrets
          mountPath: "/etc/secrets"		#  Mounted Directory （ In-container directory ）
          readOnly: true	#  read-only 　

see

# Opaque Secret  The user name and password in have been attached 
$ kubectl exec secret-test -it -- ls /etc/secrets
password  username

#  View content , It is found that the content has been automatically decrypted 
$ kubectl exec secret-test -it -- cat /etc/secrets/password
123
$ kubectl exec secret-test -it -- cat /etc/secrets/username
admin

（3） take Secret Export to environment variables

establish Deployment

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: pod-deployment
spec:
  replicas: 2
  template:
    metadata:
      labels:
        app: pod-deployment
    spec:
      containers:
        - name: pod-1
          image: wangyanglinux/myapp:v1
          ports:
            - containerPort: 80
          env:
            - name: TEST_USER			#  Environment variable name 
              valueFrom:
                secretKeyRef:			#  from  Secret  In order to get 
                  name: mysecret		# Secret  Name 
                  key: username		# Secret  Key name in 
            - name: TEST_PASSWORD		#  Environment variable name 
              valueFrom:
                secretKeyRef:			#  from  Secret  In order to get 
                  name: mysecret		# Secret  Name 
                  key: password		# Secret  Key name in （ comparison  configmap,Secret  There is no need to use plaintext here , A little safer ）

View environment variables

#  Into the container 
$ kubectl exec pod-deployment-747f78bc67-2w9wk -it -- /bin/sh

#  View environment variables 
$ echo $TEST_USER
admin
$ echo $TEST_PASSWORD
123

3. kubernetes.io/docker configjson

Use Kuberctl establish  docker registry  The certification secret

# kubectl create secret docker-registry \	#  establish  Secret  The type of 
#    myregistrykey \  						# Secret  The name of 
#    --docker-server=hub.zyx.com \			# docker server  The address of 
#    --docker-username=admin \				# docker  user name 
#    --docker-password=Harbor12345 \		# docker  password 
#    [email protected] 				# docker  mailbox 
kubectl create secret docker-registry \
    myregistrykey \
    --docker-server=hub.zyx.com \
    --docker-username=admin \
    --docker-password=Harbor12345 \
    [email protected]

Creating Pod When , adopt  imagePullSecrets  To refer to the  myregistrykey, To pull the image of the private warehouse

apiVersion: v1
kind: Pod
metadata:
  name: foo
spec:
  containers:
    - name: foo
      image: hub.zyx.com/zyx/myapp:v1
  imagePullSecrets:			#  Authentication information when fetching from private warehouse 
    - name: myregistrykey	#  Authentication information , Created in the previous step  docker registry