温馨提示×

温馨提示×

您好,登录后才能下订单哦!

密码登录×
登录注册×
其他方式登录
点击 登录注册 即表示同意《亿速云用户服务条款》

kubernetes中怎么验证secret和configmap

发布时间:2021-12-31 09:10:34 来源:亿速云 阅读:212 作者:iii 栏目:云计算

这篇文章主要讲解了“kubernetes中怎么验证secret和configmap”,文中的讲解内容简单清晰,易于学习与理解,下面请大家跟着小编的思路慢慢深入,一起来研究和学习“kubernetes中怎么验证secret和configmap”吧!

在k8s上用deployment和service部署nginx,用secret存储ssl证书,用configmap存储nginx配置文件,简单搭建起https服务。

1,新建一个有两个pod的deployment my-nginx

编辑deployment文件

vi dep-nginx.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-nginx
spec:
  selector:
    matchLabels:
      run: my-nginx
  replicas: 2
  template:
    metadata:
      labels:
        run: my-nginx
    spec:
      containers:
      - name: my-nginx
        image: nginx
        ports:
        - containerPort: 80

部署pod:

kubectl apply -f dep-nginx.yaml

kubectl get pods -l run=my-nginx -o wide

# 检查 Pod 的 IP 地址

kubectl get pods -l run=my-nginx -o yaml | grep podIP

2,为my-nginx新建service

vi nginx-svc.yaml

apiVersion: v1
kind: Service
metadata:
  name: my-nginx
  labels:
    run: my-nginx
spec:
  ports:
  - port: 80
    targetPort: 80
    protocol: TCP
  selector:
    run: my-nginx

kubectl apply -f nginx-svc.yaml

kubectl get svc my-nginx

kubectl get ep my-nginx

3,验证pod的自愈

删除deployment中的pod

kubectl delete pods -l run=my-nginx

可看到删除的pod会被重建,查看重建后的变化

kubectl exec my-nginx-3800858182-e9ihh -- printenv | grep SERVICE

service的dns

kubectl get services kube-dns --namespace=kube-system

kubectl run curl --image=radial/busyboxplus:curl -i --tty

替代nslookup工具的busybox

https://github.com/cncf/curriculum

nslookup my-nginx

4,为新建的nginx添加ssl证书,通过新建secret来使用

1)自签证书

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /d/tmp/nginx.key -out /d/tmp/nginx.crt -subj "/CN=my-nginx/O=my-nginx"

编码

echo -n "string"| base64

cat dockerconfig.json |base64 -w 0

解码

echo "string" | base64 --decode

cat nginx.key |base64 -w 0

cat nginx.crt |base64 -w 0

2)编辑secret文件

vi nginxsecrets.yaml

apiVersion: "v1"
kind: "Secret"
metadata:
  name: "nginxsecret"
  namespace: "default"
data:
  nginx.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURIekNDQWdlZ0F3SUJBZ0lKQUp5M3lQK0pzMlpJT"
  nginx.key: "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ"

3)部署secret

kubectl apply -f nginxsecrets.yaml

4)查看新建的secret

kubectl get secrets

5)编辑对应的deployment和service配置文件

vi nginx-https.yaml

apiVersion: v1
kind: Service
metadata:
  name: nginx-https
  labels:
    run: nginx-https
spec:
  type: NodePort
  ports:
  - port: 80
    targetPort: 80
    protocol: TCP
    name: http
  - port: 443  #新加443端口
    protocol: TCP
    name: https
  selector:
    run: nginx-https
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-https
spec:
  selector:
    matchLabels:
      run: nginx-https
  replicas: 1
  template:
    metadata:
      labels:
        run: nginx-https
    spec:
      volumes:
      - name: secret-volume
        secret:
          secretName: nginxsecret  #和新建secret的名字一致
      containers:
      - name: nginxhttps
        image: nginx
        ports:
        - containerPort: 443
        - containerPort: 80
        volumeMounts:
        - mountPath: /etc/nginx/ssl   #设置配置文件挂载点
          name: secret-volume

部署deployment和service

kubectl -f nginx-https.yaml

6)登录pod并配置ssl,secret只是添加了SSL证书,还得修改配置文件

kubectl exec -it nginx-https-6575cc58f5-7p28z -- /bin/bash

sed -i 'N;2a\ listen 443 ssl;' /etc/nginx/conf.d/default.conf

sed -i 'N;4a\ ssl_certificate /etc/nginx/ssl/nginx.crt;' /etc/nginx/conf.d/default.conf

sed -i 'N;6a\ ssl_certificate_key /etc/nginx/ssl/nginx.key;' /etc/nginx/conf.d/default.conf

nginx -s reload

7)验证

获取POD的IP

kubectl get pods -o yaml | grep -i podip

curl -k https://10.244.3.5

-k 即因为证书不受信,允许curl使用未验证证书的ssl连接并且传输数据

浏览器的权威证书颁发机构查询: 浏览器设置--隐私与安全--证书管理

linux下路径: /etc/ssl/certs

获得service IP

kubectl get svc | grep nginx-https | awk '{print $3}'

访问测试:

curl -k https://10.1.71.99

获取service的endpoints

kubectl get ep nginx-https

5,刚刚进入容器修改配置不nice,其实无需手动,用configmap将nginx配置传入容器,像secret一样使用

vi https-nginx-configmap.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: https-nginx
spec:
  selector:
    matchLabels:
      run: https-nginx
  replicas: 2 
  template:
    metadata:
      labels:
        run: https-nginx
    spec:
      volumes:
      - name: secret-volume
        secret:
          secretName: nginxsecret
      - name: config-volume
        configMap:
          name: nginx-config
      containers:
      - name: https-nginx
        image: nginx
        ports:
        - containerPort: 80
        - containerPort: 443
        volumeMounts:
        - mountPath: /etc/nginx/ssl
          name: secret-volume
        - mountPath: /etc/nginx/conf.d
          name: config-volume
---
apiVersion: v1
kind: Service
metadata:
  name: https-nginx
  labels:
    run: https-nginx
spec:
  type: NodePort
  ports:
  - port: 80
    targetPort: 80
    protocol: TCP
    name: http
  - port: 443
    targetPort: 443
    protocol: TCP
    name: https
  selector:
    run: https-nginx
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-config
data:
  nginx.conf: |
    server {
        listen       80;
        listen  [::]:80;
        listen       443 ssl;
        server_name  localhost;
        ssl_certificate    /etc/nginx/ssl/nginx.crt;
        ssl_certificate_key    /etc/nginx/ssl/nginx.key;
        location / {
            root   /usr/share/nginx/html;
            index  index.html index.htm;
          }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
          }
    }

kubectl apply -f https-nginx-configmap.yaml

kubectl get deployments

kubectl get svc

kubectl get cm

感谢各位的阅读,以上就是“kubernetes中怎么验证secret和configmap”的内容了,经过本文的学习后,相信大家对kubernetes中怎么验证secret和configmap这一问题有了更深刻的体会,具体使用情况还需要大家实践验证。这里是亿速云,小编将为大家推送更多相关知识点的文章,欢迎关注!

向AI问一下细节

免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。

AI