kubernetes中怎么验证secret和configmap
这篇文章主要讲解了"kubernetes中怎么验证secret和configmap",文中的讲解内容简单清晰,易于学习与理解,下面请大家跟着小编的思路慢慢深入,一起来研究和学习"kubernetes中怎么验证secret和configmap"吧!
在k8s上用deployment和service部署nginx,用secret存储ssl证书,用configmap存储nginx配置文件,简单搭建起https服务。
1,新建一个有两个pod的deployment my-nginx
编辑deployment文件
vi dep-nginx.yaml
apiVersion: apps/v1kind: Deploymentmetadata: name: my-nginxspec: selector: matchLabels: run: my-nginx replicas: 2 template: metadata: labels: run: my-nginx spec: containers: - name: my-nginx image: nginx ports: - containerPort: 80
部署pod:
kubectl apply -f dep-nginx.yaml
kubectl get pods -l run=my-nginx -o wide
# 检查 Pod 的 IP 地址
kubectl get pods -l run=my-nginx -o yaml | grep podIP
2,为my-nginx新建service
vi nginx-svc.yaml
apiVersion: v1kind: Servicemetadata: name: my-nginx labels: run: my-nginxspec: ports: - port: 80 targetPort: 80 protocol: TCP selector: run: my-nginx
kubectl apply -f nginx-svc.yaml
kubectl get svc my-nginx
kubectl get ep my-nginx
3,验证pod的自愈
删除deployment中的pod
kubectl delete pods -l run=my-nginx
可看到删除的pod会被重建,查看重建后的变化
kubectl exec my-nginx-3800858182-e9ihh -- printenv | grep SERVICE
service的dns
kubectl get services kube-dns --namespace=kube-system
kubectl run curl --image=radial/busyboxplus:curl -i --tty
替代nslookup工具的busybox
https://github.com/cncf/curriculum
nslookup my-nginx
4,为新建的nginx添加ssl证书,通过新建secret来使用
1)自签证书
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /d/tmp/nginx.key -out /d/tmp/nginx.crt -subj "/CN=my-nginx/O=my-nginx"
编码
echo -n "string"| base64
cat dockerconfig.json |base64 -w 0
解码
echo "string" | base64 --decode
cat nginx.key |base64 -w 0
cat nginx.crt |base64 -w 0
2)编辑secret文件
vi nginxsecrets.yaml
apiVersion: "v1"kind: "Secret"metadata: name: "nginxsecret" namespace: "default"data: nginx.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURIekNDQWdlZ0F3SUJBZ0lKQUp5M3lQK0pzMlpJT" nginx.key: "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ"
3)部署secret
kubectl apply -f nginxsecrets.yaml
4)查看新建的secret
kubectl get secrets
5)编辑对应的deployment和service配置文件
vi nginx-https.yaml
apiVersion: v1kind: Servicemetadata: name: nginx-https labels: run: nginx-httpsspec: type: NodePort ports: - port: 80 targetPort: 80 protocol: TCP name: http - port: 443 #新加443端口 protocol: TCP name: https selector: run: nginx-https---apiVersion: apps/v1kind: Deploymentmetadata: name: nginx-httpsspec: selector: matchLabels: run: nginx-https replicas: 1 template: metadata: labels: run: nginx-https spec: volumes: - name: secret-volume secret: secretName: nginxsecret #和新建secret的名字一致 containers: - name: nginxhttps image: nginx ports: - containerPort: 443 - containerPort: 80 volumeMounts: - mountPath: /etc/nginx/ssl #设置配置文件挂载点 name: secret-volume
部署deployment和service
kubectl -f nginx-https.yaml
6)登录pod并配置ssl,secret只是添加了SSL证书,还得修改配置文件
kubectl exec -it nginx-https-6575cc58f5-7p28z -- /bin/bash
sed -i 'N;2a\ listen 443 ssl;' /etc/nginx/conf.d/default.conf
sed -i 'N;4a\ ssl_certificate /etc/nginx/ssl/nginx.crt;' /etc/nginx/conf.d/default.conf
sed -i 'N;6a\ ssl_certificate_key /etc/nginx/ssl/nginx.key;' /etc/nginx/conf.d/default.conf
nginx -s reload
7)验证
获取POD的IP
kubectl get pods -o yaml | grep -i podip
curl -k https://10.244.3.5
-k 即因为证书不受信,允许curl使用未验证证书的ssl连接并且传输数据
浏览器的权威证书颁发机构查询: 浏览器设置--隐私与安全--证书管理
linux下路径: /etc/ssl/certs
获得service IP
kubectl get svc | grep nginx-https | awk '{print $3}'
访问测试:
curl -k https://10.1.71.99
获取service的endpoints
kubectl get ep nginx-https
5,刚刚进入容器修改配置不nice,其实无需手动,用configmap将nginx配置传入容器,像secret一样使用
vi https-nginx-configmap.yaml
apiVersion: apps/v1kind: Deploymentmetadata: name: https-nginxspec: selector: matchLabels: run: https-nginx replicas: 2 template: metadata: labels: run: https-nginx spec: volumes: - name: secret-volume secret: secretName: nginxsecret - name: config-volume configMap: name: nginx-config containers: - name: https-nginx image: nginx ports: - containerPort: 80 - containerPort: 443 volumeMounts: - mountPath: /etc/nginx/ssl name: secret-volume - mountPath: /etc/nginx/conf.d name: config-volume---apiVersion: v1kind: Servicemetadata: name: https-nginx labels: run: https-nginxspec: type: NodePort ports: - port: 80 targetPort: 80 protocol: TCP name: http - port: 443 targetPort: 443 protocol: TCP name: https selector: run: https-nginx---apiVersion: v1kind: ConfigMapmetadata: name: nginx-configdata: nginx.conf: | server { listen 80; listen [::]:80; listen 443 ssl; server_name localhost; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; location / { root /usr/share/nginx/html; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } }
kubectl apply -f https-nginx-configmap.yaml
kubectl get deployments
kubectl get svc
kubectl get cm
感谢各位的阅读,以上就是"kubernetes中怎么验证secret和configmap"的内容了,经过本文的学习后,相信大家对kubernetes中怎么验证secret和configmap这一问题有了更深刻的体会,具体使用情况还需要大家实践验证。这里是,小编将为大家推送更多相关知识点的文章,欢迎关注!