k8s之Secret

本文涉及的产品
RDS MySQL Serverless 基础系列,0.5-2RCU 50GB
云数据库 RDS MySQL,集群系列 2核4GB
推荐场景:
搭建个人博客
云数据库 RDS PostgreSQL,集群系列 2核4GB
简介: k8s之Secret

Create Generic Secret

创建Generic Secret
root@master:~# kubectl create secret generic mysql-secret --from-literal=root.pass='lili' --from-literal=wp.user='wpuser' --from-literal=wp.pass='WPp@ss' --from-literal=db.name='wpdb' --dry-run=client -oyaml
apiVersion: v1
data:
db.name: d3BkYg==
root.pass: bGlsaQ==
wp.pass: V1BwQHNz
wp.user: d3B1c2Vy
kind: Secret
metadata:
creationTimestamp: null
name: mysql-secret

root@master:~# kubectl create secret generic mysql-secret --from-literal=root.pass='lili' --from-literal=wp.user='wpuser' --from-literal=wp.pass='WPp@ss' --from-literal=db.name='wpdb'
secret/mysql-secret created

root@master:~# kubectl get secret
NAME TYPE DATA AGE
mysql-secret Opaque 4 4s
Pod基于环境变量引用Secret
root@master:~# cat mysql-secret.yaml
apiVersion: v1
kind: Pod
metadata:
name: mysql
spec:
containers:

  • name: mysql
    image: swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/mysql:5.7
    env:
    • name: MYSQL_ROOT_PASSWORD # mysql镜像支持的环境变量
      valueFrom:
      secretKeyRef: # 引用secret的键的值作为密码
      name: mysql-secret
      key: root.pass                                    # 以root.pass作为键,引用它的值
      optional: false
      

root@master:~# kubectl apply -f mysql-secret.yaml
pod/mysql created

root@master:~# kubectl get pod -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mysql 1/1 Running 0 12s 10.244.1.26 jgswy-node02
验证
root@master:~# kubectl exec -it mysql -- /bin/bash

bash-4.2# printenv
HOSTNAME=mysql
TERM=xterm
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
MYSQL_VERSION=5.7.44-1.el7
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_HOST=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/
MYSQL_SHELL_VERSION=8.0.35-1.el7
SHLVL=1
HOME=/root
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT_HTTPS=443
MYSQL_MAJOR=5.7
GOSU_VERSION=1.16
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
MYSQL_ROOT_PASSWORD=lili #注入的环境变量
KUBERNETES_PORT_443TCP=tcp://10.96.0.1:443 =/usr/bin/printenv

bash-4.2# mysql -uroot -plili -h127.0.0.1
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.7.44 MySQL Community Server (GPL)

Copyright (c) 2000, 2023, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>
Create a TLS secret

准备证书
root@jmaster:/data/learning-k8s/examples/configmaps_and_secrets# ls
certs.d configmaps-volume-demo.yaml nginx-ssl-conf.d secret-nginx-certs.yaml secrets-volume-demo.yaml
configmap-nginx-cfg.yaml downwardapi-demo.yaml projected-demo.yaml secrets-demo.yaml
configmaps-env-demo.yaml nginx-conf.d secret-mysql.yaml secrets-env-demo.yaml

root@master:/data/learning-k8s/examples/configmaps_and_secrets# ls certs.d/
nginx.crt nginx.key
创建seceret
root@master:/data/learning-k8s/examples/configmaps_and_secrets# kubectl create secret tls nginx-tls --cert=./certs.d/nginx.crt --key=./certs.d/nginx.key -oyaml
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURsVENDQW4yZ0F3SUJBZ0lVR2Zya05FeGZiS2N5Yy9LYkpLUXJ5MzRTcHI0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1dqRUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdNQjBKbGFXcHBibWN4RURBT0JnTlZCQWNNQjBKbAphV3BwYm1jeER6QU5CZ05WQkFvTUJrUmxkazl3Y3pFV01CUUdBMVVFQXd3TmQzZDNMbWxzYVc1MWVDNXBiekFlCkZ3MHlNREEwTVRVd05UQXdORE5hRncweU1EQTFNVFV3TlRBd05ETmFNRm94Q3pBSkJnTlZCQVlUQWtOT01SQXcKRGdZRFZRUUlEQWRDWldscWFXNW5NUkF3RGdZRFZRUUhEQWRDWldscWFXNW5NUTh3RFFZRFZRUUtEQVpFWlhaUApjSE14RmpBVUJnTlZCQU1NRFhkM2R5NXBiR2x1ZFhndWFXOHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRRE1pNSsyUStZTlNxeS9vVVhNQzAraklqc2puS2M5SzdjVzYweFhrQzZOa3lSY3BZSmwKdWM4ckFYRUxyZjUxMmJUWGhxb0hqVG5JeFExVFROeDNRbE9oTHBYVjJCbGtObVNzY0w0Uy9IL1VEWTlQayt0cwpiOGlEZSszdlBEQ1ZiQytvOEFYYUhUaktaQ0pXc0oxY0RJY0JGenQ0MFQzUWswL1hQcVYrM1pERWFNcW9LYklJCmRvbENLLzZiN1BlaElXVVFWeFVDK3NoZ0xVbjJReXJmK0UrRC9TQmZFOVd3UGp0YXdCeHdxaDZOczV1dEVsL0cKVmltbEMxM2tsWTNGQ1RMWEhFU3hNKzdGNlU2VUdpYm1CWFRsLzZlV1I2bmlVdW1kMjhyU2NneXVDTnA1NGY2cAp1VGFMK0ZNbG0wN0NiS3lLWHhDZHpVNXVrSFlOYXlqa3p3ck5BZ01CQUFHalV6QlJNQjBHQTFVZERnUVdCQlE1ClhNbkhJanZYZFVCb1BEd3BpbjdiVWN6SHJqQWZCZ05WSFNNRUdEQVdnQlE1WE1uSElqdlhkVUJvUER3cGluN2IKVWN6SHJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQlVwU1pSNUE5Rgo2bVZhSU16TUl0anZadXFpRDNpeG9PN3NEdEZCcGVsYVZNV0dIaTZ3cFlTL21kNkNmS0hQQ3pySDhnNmpWTGhaClRpRWd5OVREUG5wMmU0VWNBUzdYMVBPM21GWTVscGpVakxJZjR4bUZrUy9FdFQ1ZE5TbUF1NGxGN2ZrRkEraEYKc244b2s5bk9DNk05OVBxbmQ1SlpVR1pwRFJCK1NQblpIVzZ3R2JiSVd3R3hPQmNtejBBMHNJNTkyVm9POThYKwoxK2w4MEVmdkhjRDJQRmdmSzhqS3g5eEl0UjEwcnBtVE4yQmtPQlBiREZ4SHZEcTNjRlRBSVVhMGhWS04xT0xJCk1oSEsvVnJmRUxHanJvY0pTZEFxcGpPTFl0R2JQN09sWURHTzFPRDk2ZEVTYStWWTRXYnFqYzc5S0luREQrWnkKWVlqbkJKR2F5VExyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBekl1ZnRrUG1EVXFzdjZGRnpBdFBveUk3STV5blBTdTNGdXRNVjVBdWpaTWtYS1dDClpiblBLd0Z4QzYzK2RkbTAxNGFxQjQwNXlNVU5VMHpjZDBKVG9TNlYxZGdaWkRaa3JIQytFdngvMUEyUFQ1UHIKYkcvSWczdnQ3end3bFd3dnFQQUYyaDA0eW1RaVZyQ2RYQXlIQVJjN2VORTkwSk5QMXo2bGZ0MlF4R2pLcUNteQpDSGFKUWl2K20rejNvU0ZsRUZjVkF2cklZQzFKOWtNcTMvaFBnLzBnWHhQVnNENDdXc0FjY0tvZWpiT2JyUkpmCnhsWXBwUXRkNUpXTnhRa3kxeHhFc1RQdXhlbE9sQm9tNWdWMDVmK25sa2VwNGxMcG5kdkswbklNcmdqYWVlSCsKcWJrMmkvaFRKWnRPd215c2lsOFFuYzFPYnBCMkRXc281TThLelFJREFRQUJBb0lCQUNjeWpvMndIMUxtdjRvTgpqc0dXWFZHR3lzeDlSYk04UUY3ZEFvazVNU0tpVXZLS0tSM3phSmIyTk1Lbk9qODlWQ0dGUmVvaWp6TkJSOWR4CndFSCtiT1pUZGhVL3owWGNBcGpsRmhldldaTzZjWDh2ZW9zU05OdTFrUmdxY2FrQXpYVlRZZHUxZzkrTkp1TnoKL3dQWHhydFh4MmJVdWtMUktCaTRnYUI1TnpmY0FSdzBIWG9aUjExbVRydkhLSWRSQUx4Q21KR09aTlg5RjhGMQpsQ1dCN2hjWVNkRVg5MTBkT2VFTlRzUUNMeVJvaDdXWkJSejBEUVBYNnNJd2FJTGtFT0puSVQ0K3JYNldCZGdkCmRkRjN3L0ZYcGxFdW9BSVplSDJmZnkvMzNyTFpSSXlSZWFEVnJUeHFUMnVOQlVkbkJPN1NFa2VYV25kUEh2V2MKaUpRUGxTRUNnWUVBOXdGQmpzOGk2a0YrWDM1N09ueFpuZXB4WnVZMGhqRk5BcVdPSGlUMWsvcWt6T2pRSG1kMgpHSnJZZjc0OUc3VHB2R2Y2TytzalIvZm96ODVsdFViSnh5Wk1IK2JqQzgwM0VUeXp2TmlXZzE2MVp6Nyt5NGpKClI5dlhCS05vd0NlazVFYVRyZ3owZkp5bjJ1WlRDak1aUE1WVVFBRmlYc0RtUTAybUp6dVdwTmtDZ1lFQTAvNkkKTjg2a2szalRzaHhvTEM5VUR0K0x4VTVaUE8vS0t0a21SUEorYU1IbS9uUXJYazZ6a1pJVUF2OHIrOWZXVXdHbQpYUmd2QjVlaHAvT1htdkxLWEhSVmhhVjc3QTZvMEVQVFRrcU5iZU5GSHg1cVFObU85ZHdIVTNSTW5PeWk0TnluCmFJNlljNGIvMWJXdXlBYlVlc0tEdXI3L0FMOFo5UU1XVUVUb2pSVUNnWUF2bzY1aFBOSWZIRUtqYUdHY0JoL0MKdFZUcDQ3eDlwVVNWSGhrcTl6WG1OSkZVZEJLdnlvU2Nla0VIWWttbTdsMm1XT2VLWnUrSEVlbDFLdm15M05STgo5TFQ1OGk0WU9KeEdWczdUdlhKS0pCb1lyNjIwMDh6K2J3Z3BmTnJYTk00NHVPUUN6YnpaeTkwVCt4aEkvMUgrCnhwQlpSK3NSRzJOTjE4d1VCUW9wQVFLQmdFdnNHWDdiRytmUTJ3Z3Iwa2NZd0NML2ZvQXdPaGR2elZpaEltcUkKNmlxOFh1ejhUOWZibWNYbHFoTVVyZnpvNU5JZmdpUlBGL0RCSmwwUENWbXQ0RGxTVkpxamxJa0xDdnhqZmhiSQo3blBQZEI3YjlyTzQ5dEVvZHRzMWlJYWUzUXBwRys5L09pd055aXdRZ0VNVTV4Mzc4Yzk4dmJqWHVBVWVrT3c0CmNZeXRBb0dBTEtNazBwMUUrZHJtVzVuS3VMa2dyNDYzbmtlenBld2Y4eVJ2UHZQcUo4UkdobTBGblphOW1mQ0YKd1JCMDh1MkZ6YTRHSldEY0p2VG9kV3NtSmpCVHRMQ0wzaFlCSmNNQXNVNEdEbXBCZDdQMVBQQ1ZCb0JMeVJjbApyK2VTOFJzZTRwTERjOWdpQk9ZSGp4Q2hsVktSdVhESmh2V2k0azZVNGY5bStBNmp4STg9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
kind: Secret
metadata:
creationTimestamp: "2024-09-29T07:34:46Z"
name: nginx-tls
namespace: default
resourceVersion: "3323132"
uid: 9f5a998d-1d30-4746-9dfc-6ac16483f237
type: kubernetes.io/tls

root@master:/data/learning-k8s/examples/configmaps_and_secrets# kubectl get secret
NAME TYPE DATA AGE
mysql-secret Opaque 4 5h18m
nginx-tls kubernetes.io/tls 2 74s
Pod通过卷挂载证书
root@master:~# cat nginx-tls.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx-tls
spec:
containers:

  • name: nginx
    image: swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/nginx
    volumeMounts:
    • name: certs
      mountPath: /etc/nginx/certs.d/
      volumes:
  • name: certs
    secret:
    secretName: nginx-tls
    optional: false

root@master:~# kubectl apply -f nginx-tls.yaml -oyaml

root@master:~# kubectl get pod -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mysql 1/1 Running 0 122m 10.244.1.26 jgswy-node02
nginx-tls 1/1 Running 0 14s 10.244.1.64 jgswy-node02
验证
root@master:~# kubectl exec -it nginx-tls -- /bin/sh

pwd

/etc/nginx/certs.d

ls

tls.crt tls.key
Create docker-registry secret

创建docker-registry secret
当启动的Pod需要到私有镜像仓库中下载镜像的时候,需要提供仓库的账号密码等信息
可以通过配置imagePullSecrets来指定认证加载的secret,kubelet下载镜像的时候会自动加载secret中的信息。

root@master:~# kubectl create secret docker-registry dockerhub-secret --docker-username=‘admin’ --docker-password='P@ssw0rd' --docker-email='666163.com' -oyaml
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL2luZGV4LmRvY2tlci5pby92MS8iOnsidXNlcm5hbWUiOiLigJhhZG1pbuKAmSIsInBhc3N3b3JkIjoiUEBzc3cwcmQiLCJlbWFpbCI6IjY2NjE2My5jb20iLCJhdXRoIjoiNG9DWVlXUnRhVzdpZ0prNlVFQnpjM2N3Y21RPSJ9fX0=
kind: Secret
metadata:
creationTimestamp: "2024-09-29T08:56:15Z"
name: dockerhub-secret
namespace: default
resourceVersion: "3332988"
uid: ef39c4ad-ce3e-4c8d-a1ee-300d7d374633
type: kubernetes.io/dockerconfigjson

root@master:~# kubectl get secret
NAME TYPE DATA AGE
dockerhub-secret kubernetes.io/dockerconfigjson 1 6s
mysql-secret Opaque 4 6h38m
nginx-tls kubernetes.io/tls 2 81m
root@master:~# echo "eyJhdXRocyI6eyJodHRwczovL2luZGV4LmRvY2tlci5pby92MS8iOnsidXNlcm5hbWUiOiLigJhhZG1pbuKAmSIsInBhc3N3b3JkIjoiUEBzc3cwcmQiLCJlbWFpbCI6IjY2NjE2My5jb20iLCJhdXRoIjoiNG9DWVlXUnRhVzdpZ0prNlVFQnpjM2N3Y21RPSJ9fX0=" | base64 -d | jq .
{
"auths": {
"https://index.docker.io/v1/": {
"username": "‘admin’",
"password": "P@ssw0rd",
"email": "666163.com",
"auth": "4oCYYWRtaW7igJk6UEBzc3cwcmQ="
}
}
}
配置带tls证书的Nginx虚拟主机

准备nginx配置文件以及证书
root@master:s# ls nginx-conf.d/
myserver.conf myserver-gzip.cfg myserver-status.cfg
root@master:# ls nginx-ssl-conf.d/
myserver.conf myserver-gzip.cfg myserver-status.cfg

root@jgswy-master:/data/learning-k8s/examples/configmaps_and_secrets# cat nginx-conf.d/myserver.conf
server {
listen 8080;
server_name www.ik8s.io;

include /etc/nginx/conf.d/myserver-*.cfg;

location / {
    root /usr/share/nginx/html;
}

}
root@master:# cat nginx-ssl-conf.d/myserver.conf
server {
listen 443 ssl;
server_name www.ik8s.io;

ssl_certificate /etc/nginx/certs/tls.crt;                              # 证书文件目录
ssl_certificate_key /etc/nginx/certs/tls.key;

ssl_session_timeout 5m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;

include /etc/nginx/conf.d/myserver-*.cfg;

location / {
    root /usr/share/nginx/html;
}

}

[kod.lzwcmy.com)
[kod.tjxinfeng.com)
[kod.carve-art.com)
[kod.1-tao.com)
[kod.kfy8.com)
[kod.100ib.com)
[kod.yandiaopicaofushi.com)
[kod.shopaoo.com)
[kod.tzzxc8.com)
server {
listen 80;
server_name www.ilinux.io;
return 301 https://$host$request_uri;
}
创建nginx配置文件configmap
root@master:# kubectl create configmap nginx-sslvhosts-confs --from-file=./nginx-ssl-conf.d/
configmap/nginx-sslvhosts-confs created

root@jgswy-master:/data/learning-k8s/examples/configmaps_and_secrets# kubectl get cm
NAME DATA AGE
kube-root-ca.crt 1 20d
nginx-sslvhosts-confs 3 22s
创建secret 证书文件
root@master:# cat secret-nginx-certs.yaml
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURsVENDQW4yZ0F3SUJBZ0lVR2Zya05FeGZiS2N5Yy9LYkpLUXJ5MzRTcHI0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1dqRUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdNQjBKbGFXcHBibWN4RURBT0JnTlZCQWNNQjBKbAphV3BwYm1jeER6QU5CZ05WQkFvTUJrUmxkazl3Y3pFV01CUUdBMVVFQXd3TmQzZDNMbWxzYVc1MWVDNXBiekFlCkZ3MHlNREEwTVRVd05UQXdORE5hRncweU1EQTFNVFV3TlRBd05ETmFNRm94Q3pBSkJnTlZCQVlUQWtOT01SQXcKRGdZRFZRUUlEQWRDWldscWFXNW5NUkF3RGdZRFZRUUhEQWRDWldscWFXNW5NUTh3RFFZRFZRUUtEQVpFWlhaUApjSE14RmpBVUJnTlZCQU1NRFhkM2R5NXBiR2x1ZFhndWFXOHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRRE1pNSsyUStZTlNxeS9vVVhNQzAraklqc2puS2M5SzdjVzYweFhrQzZOa3lSY3BZSmwKdWM4ckFYRUxyZjUxMmJUWGhxb0hqVG5JeFExVFROeDNRbE9oTHBYVjJCbGtObVNzY0w0Uy9IL1VEWTlQayt0cwpiOGlEZSszdlBEQ1ZiQytvOEFYYUhUaktaQ0pXc0oxY0RJY0JGenQ0MFQzUWswL1hQcVYrM1pERWFNcW9LYklJCmRvbENLLzZiN1BlaElXVVFWeFVDK3NoZ0xVbjJReXJmK0UrRC9TQmZFOVd3UGp0YXdCeHdxaDZOczV1dEVsL0cKVmltbEMxM2tsWTNGQ1RMWEhFU3hNKzdGNlU2VUdpYm1CWFRsLzZlV1I2bmlVdW1kMjhyU2NneXVDTnA1NGY2cAp1VGFMK0ZNbG0wN0NiS3lLWHhDZHpVNXVrSFlOYXlqa3p3ck5BZ01CQUFHalV6QlJNQjBHQTFVZERnUVdCQlE1ClhNbkhJanZYZFVCb1BEd3BpbjdiVWN6SHJqQWZCZ05WSFNNRUdEQVdnQlE1WE1uSElqdlhkVUJvUER3cGluN2IKVWN6SHJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQlVwU1pSNUE5Rgo2bVZhSU16TUl0anZadXFpRDNpeG9PN3NEdEZCcGVsYVZNV0dIaTZ3cFlTL21kNkNmS0hQQ3pySDhnNmpWTGhaClRpRWd5OVREUG5wMmU0VWNBUzdYMVBPM21GWTVscGpVakxJZjR4bUZrUy9FdFQ1ZE5TbUF1NGxGN2ZrRkEraEYKc244b2s5bk9DNk05OVBxbmQ1SlpVR1pwRFJCK1NQblpIVzZ3R2JiSVd3R3hPQmNtejBBMHNJNTkyVm9POThYKwoxK2w4MEVmdkhjRDJQRmdmSzhqS3g5eEl0UjEwcnBtVE4yQmtPQlBiREZ4SHZEcTNjRlRBSVVhMGhWS04xT0xJCk1oSEsvVnJmRUxHanJvY0pTZEFxcGpPTFl0R2JQN09sWURHTzFPRDk2ZEVTYStWWTRXYnFqYzc5S0luREQrWnkKWVlqbkJKR2F5VExyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBekl1ZnRrUG1EVXFzdjZGRnpBdFBveUk3STV5blBTdTNGdXRNVjVBdWpaTWtYS1dDClpiblBLd0Z4QzYzK2RkbTAxNGFxQjQwNXlNVU5VMHpjZDBKVG9TNlYxZGdaWkRaa3JIQytFdngvMUEyUFQ1UHIKYkcvSWczdnQ3end3bFd3dnFQQUYyaDA0eW1RaVZyQ2RYQXlIQVJjN2VORTkwSk5QMXo2bGZ0MlF4R2pLcUNteQpDSGFKUWl2K20rejNvU0ZsRUZjVkF2cklZQzFKOWtNcTMvaFBnLzBnWHhQVnNENDdXc0FjY0tvZWpiT2JyUkpmCnhsWXBwUXRkNUpXTnhRa3kxeHhFc1RQdXhlbE9sQm9tNWdWMDVmK25sa2VwNGxMcG5kdkswbklNcmdqYWVlSCsKcWJrMmkvaFRKWnRPd215c2lsOFFuYzFPYnBCMkRXc281TThLelFJREFRQUJBb0lCQUNjeWpvMndIMUxtdjRvTgpqc0dXWFZHR3lzeDlSYk04UUY3ZEFvazVNU0tpVXZLS0tSM3phSmIyTk1Lbk9qODlWQ0dGUmVvaWp6TkJSOWR4CndFSCtiT1pUZGhVL3owWGNBcGpsRmhldldaTzZjWDh2ZW9zU05OdTFrUmdxY2FrQXpYVlRZZHUxZzkrTkp1TnoKL3dQWHhydFh4MmJVdWtMUktCaTRnYUI1TnpmY0FSdzBIWG9aUjExbVRydkhLSWRSQUx4Q21KR09aTlg5RjhGMQpsQ1dCN2hjWVNkRVg5MTBkT2VFTlRzUUNMeVJvaDdXWkJSejBEUVBYNnNJd2FJTGtFT0puSVQ0K3JYNldCZGdkCmRkRjN3L0ZYcGxFdW9BSVplSDJmZnkvMzNyTFpSSXlSZWFEVnJUeHFUMnVOQlVkbkJPN1NFa2VYV25kUEh2V2MKaUpRUGxTRUNnWUVBOXdGQmpzOGk2a0YrWDM1N09ueFpuZXB4WnVZMGhqRk5BcVdPSGlUMWsvcWt6T2pRSG1kMgpHSnJZZjc0OUc3VHB2R2Y2TytzalIvZm96ODVsdFViSnh5Wk1IK2JqQzgwM0VUeXp2TmlXZzE2MVp6Nyt5NGpKClI5dlhCS05vd0NlazVFYVRyZ3owZkp5bjJ1WlRDak1aUE1WVVFBRmlYc0RtUTAybUp6dVdwTmtDZ1lFQTAvNkkKTjg2a2szalRzaHhvTEM5VUR0K0x4VTVaUE8vS0t0a21SUEorYU1IbS9uUXJYazZ6a1pJVUF2OHIrOWZXVXdHbQpYUmd2QjVlaHAvT1htdkxLWEhSVmhhVjc3QTZvMEVQVFRrcU5iZU5GSHg1cVFObU85ZHdIVTNSTW5PeWk0TnluCmFJNlljNGIvMWJXdXlBYlVlc0tEdXI3L0FMOFo5UU1XVUVUb2pSVUNnWUF2bzY1aFBOSWZIRUtqYUdHY0JoL0MKdFZUcDQ3eDlwVVNWSGhrcTl6WG1OSkZVZEJLdnlvU2Nla0VIWWttbTdsMm1XT2VLWnUrSEVlbDFLdm15M05STgo5TFQ1OGk0WU9KeEdWczdUdlhKS0pCb1lyNjIwMDh6K2J3Z3BmTnJYTk00NHVPUUN6YnpaeTkwVCt4aEkvMUgrCnhwQlpSK3NSRzJOTjE4d1VCUW9wQVFLQmdFdnNHWDdiRytmUTJ3Z3Iwa2NZd0NML2ZvQXdPaGR2elZpaEltcUkKNmlxOFh1ejhUOWZibWNYbHFoTVVyZnpvNU5JZmdpUlBGL0RCSmwwUENWbXQ0RGxTVkpxamxJa0xDdnhqZmhiSQo3blBQZEI3YjlyTzQ5dEVvZHRzMWlJYWUzUXBwRys5L09pd055aXdRZ0VNVTV4Mzc4Yzk4dmJqWHVBVWVrT3c0CmNZeXRBb0dBTEtNazBwMUUrZHJtVzVuS3VMa2dyNDYzbmtlenBld2Y4eVJ2UHZQcUo4UkdobTBGblphOW1mQ0YKd1JCMDh1MkZ6YTRHSldEY0p2VG9kV3NtSmpCVHRMQ0wzaFlCSmNNQXNVNEdEbXBCZDdQMVBQQ1ZCb0JMeVJjbApyK2VTOFJzZTRwTERjOWdpQk9ZSGp4Q2hsVktSdVhESmh2V2k0azZVNGY5bStBNmp4STg9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
kind: Secret
metadata:
creationTimestamp: null
name: nginx-ssl-secret
type: kubernetes.io/tls
root@master:# kubectl apply -f secret-nginx-certs.yaml
secret/nginx-ssl-secret created
root@master:# kubectl get secret
NAME TYPE DATA AGE
dockerhub-secret kubernetes.io/dockerconfigjson 1 18h
mysql-secret Opaque 4 24h
nginx-ssl-secret kubernetes.io/tls 2 6s
nginx-tls kubernetes.io/tls 2 19h
创建Pod挂载配置文件和证书文件
root@master:# cat secrets-volume-demo.yaml

Maintainer: MageEdu mage@magedu.com

URL: http://www.magedu.com


apiVersion: v1
kind: Pod
metadata:
name: secrets-volume-demo
namespace: default
spec:
containers:

  • image: swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/nginx
    name: ngxserver
    volumeMounts:
    • name: nginxcerts
      mountPath: /etc/nginx/certs/
      readOnly: true
    • name: nginxconfs
      mountPath: /etc/nginx/conf.d/
      readOnly: true
      volumes:
  • name: nginxcerts
    secret:
    secretName: nginx-ssl-secret
  • name: nginxconfs
    configMap:
    name: nginx-sslvhosts-confs
    optional: false
    root@master:# kubectl apply -f secrets-volume-demo.yaml
    pod/secrets-volume-demo created
    root@master:# kubectl get pod
    NAME READY STATUS RESTARTS AGE
    mysql 1/1 Running 0 20h
    nginx-tls 1/1 Running 0 18h
    secrets-volume-demo 1/1 Running 0 21s
    分类: 云原生
相关实践学习
通过Ingress进行灰度发布
本场景您将运行一个简单的应用,部署一个新的应用用于新的发布,并通过Ingress能力实现灰度发布。
容器应用与集群管理
欢迎来到《容器应用与集群管理》课程,本课程是“云原生容器Clouder认证“系列中的第二阶段。课程将向您介绍与容器集群相关的概念和技术,这些概念和技术可以帮助您了解阿里云容器服务ACK/ACK Serverless的使用。同时,本课程也会向您介绍可以采取的工具、方法和可操作步骤,以帮助您了解如何基于容器服务ACK Serverless构建和管理企业级应用。 学习完本课程后,您将能够: 掌握容器集群、容器编排的基本概念 掌握Kubernetes的基础概念及核心思想 掌握阿里云容器服务ACK/ACK Serverless概念及使用方法 基于容器服务ACK Serverless搭建和管理企业级网站应用
相关文章
|
7月前
|
存储 Kubernetes 数据安全/隐私保护
k8s学习-Secret(创建、使用、更新、删除等)
k8s学习-Secret(创建、使用、更新、删除等)
781 0
|
存储 Kubernetes API
Kubernetes 的 secret 并不是真正的 secret(上)
Kubernetes 的 secret 并不是真正的 secret
184 0
|
4月前
|
运维 Kubernetes 容器
【Azure K8S】演示修复因AKS密钥过期而导致创建服务不成功的问题(The provided client secret keys for app ****** are expired)
【Azure K8S】演示修复因AKS密钥过期而导致创建服务不成功的问题(The provided client secret keys for app ****** are expired)
【Azure K8S】演示修复因AKS密钥过期而导致创建服务不成功的问题(The provided client secret keys for app ****** are expired)
|
2月前
|
存储 Kubernetes 数据安全/隐私保护
k8s学习--Secret详细解释与应用
Secret 支持四种类型: - **Opaque Secrets**:存储任意类型机密数据,需自行加密。 - **Service Account Token Secrets**:自动管理 API 访问令牌。 - **Docker Registry Secrets**:存储 Docker 私有仓库认证信息。 - **TLS Secrets**:存储 TLS 证书和私钥,用于加密通信。
191 0
|
4月前
|
存储 Kubernetes 数据安全/隐私保护
k8s学习笔记之ConfigMap和Secret
k8s学习笔记之ConfigMap和Secret
|
4月前
|
存储 Kubernetes 安全
在k8S中,Secret 有哪些使用方式?
在k8S中,Secret 有哪些使用方式?
|
4月前
|
Kubernetes 数据安全/隐私保护 容器
Kubernetes(K8S) 配置管理 Secret 介绍
Kubernetes(K8S) 配置管理 Secret 介绍
50 1
|
4月前
|
Prometheus Kubernetes 数据安全/隐私保护
使用kubeseal加密和管理k8s集群的secret
使用kubeseal加密和管理k8s集群的secret
68 2
|
4月前
|
Kubernetes 容器 Perl
在K8S中,请问harbor的secret创建能否直接创建资源清单?
在K8S中,请问harbor的secret创建能否直接创建资源清单?
|
4月前
|
存储 Kubernetes 安全
在k8S中,Kubernetes Secret 作用是什么?
在k8S中,Kubernetes Secret 作用是什么?