------> 课程视频同步分享在今日头条和B站
大家好,我是博哥爱运维,K8s是如何来进行服务配置管理的呢?
对于容器而言,如果我们想修改一个容器镜像里面的配置,可以在Dockerfile这一步,将修改好的配置复制到镜像里面再重新打包,对于不用变动配置的镜像而言,这样做属于硬编码当然也可以,但一旦我们的镜像服务需要修改配置,那么就需要重新重新打包非常麻烦,对于K8s而言,对于配置这么重要的一个环节,自然有它的解决方案,那就是configmap(通常普通配置使用)和secret(对于一些机密配置信息使用),在上面的部分章节里面,有提前涉及到这部分内容,但没有进行仔细的讲解,这里就对它们作下详细的实践。
我这里会准备一个deployment的yaml配置,用busybox来作为服务镜像,通过一个完整的yaml就可以快速带大家理解并能熟练在K8s上使用configmap和secret,如果一下子理解不了,后面可以保存这份yaml来作来生产配置参考也是没问题的,用多了自然就熟了,yaml配置如下:
configmap-secret-example-simple.yaml
---
# configmap
# kubectl create configmap localconfig-env --from-literal=log_level_test=TEST --from-literal=log_level_produce=PRODUCE
apiVersion: v1
kind: ConfigMap
metadata:name: localconfig-env
data:log_level_test: TESTlog_level_produce: PRODUCE---
# configmap
# kubectl create configmap localconfig-file --from-file=localconfig-test=localconfig-test.conf --from-file=localconfig-produce=localconfig-produce.conf
apiVersion: v1
kind: ConfigMap
metadata:name: localconfig-file
data:localconfig-produce: |TEST_RELEASE = FalsePORT = 80PROCESSES = 0MESSAGE = Producelocalconfig-test: |TEST_RELEASE = TruePORT = 8080PROCESSES = 1MESSAGE = Test---
# secret
# kubectl create secret generic mysecret --from-literal=mysql-root-password='BogeMysqlPassword' --from-literal=redis-root-password='BogeRedisPassword' --from-file=my_id_rsa=/root/.ssh/id_rsa --from-file=my_id_rsa_pub=/root/.ssh/id_rsa.pub
apiVersion: v1
kind: Secret
metadata:name: mysecretnamespace: default
type: Opaque
data:my_id_rsa: bXlfaWRfcnNhCg==my_id_rsa_pub: bXlfaWRfcnNhX3B1Ygo=mysql-root-password: Qm9nZU15c3FsUGFzc3dvcmQ=redis-root-password: Qm9nZVJlZGlzUGFzc3dvcmQ=---
apiVersion: apps/v1
kind: Deployment
metadata:labels:run: test-busyboxname: test-busyboxnamespace: default
spec:replicas: 1selector:matchLabels:run: test-busyboxtemplate:metadata:labels:run: test-busyboxspec:containers:- name: test-busyboximage: registry.cn-shanghai.aliyuncs.com/acs/busybox:v1.29.2args:- /bin/sh- -c- >echo "-------------------------------------------------";echo "TEST_ENV is:$(TEST_ENV)";echo "-------------------------------------------------";echo "PRODUCE_ENV is:$(PRODUCE_ENV)";echo "-------------------------------------------------";echo "secret MYSQL_ROOT_PASSWORD is:$(MYSQL_ROOT_PASSWORD)";echo "-------------------------------------------------";echo "secret REDIS_ROOT_PASSWORD is:$(REDIS_ROOT_PASSWORD)";echo "-------------------------------------------------";echo "/etc/local_config_test.py body is:";cat /etc/local_config_test.py;echo "-------------------------------------------------";echo "/etc/local_config_produce.py body is:";cat /etc/local_config_produce.py;echo "-------------------------------------------------";echo "/etc/id_rsa body is:";cat /etc/id_rsa;echo "-------------------------------------------------";echo "/etc/id_rsa.pub body is:";cat /etc/id_rsa.pub;echo "-------------------------------------------------";ls -ltr /etc;sleep 30000;env:- name: TEST_ENVvalueFrom:configMapKeyRef:name: localconfig-envkey: log_level_test- name: PRODUCE_ENVvalueFrom:configMapKeyRef:name: localconfig-envkey: log_level_produce- name: MYSQL_ROOT_PASSWORDvalueFrom:secretKeyRef:name: mysecretkey: mysql-root-password- name: REDIS_ROOT_PASSWORDvalueFrom:secretKeyRef:name: mysecretkey: redis-root-passwordvolumeMounts:- name: testconfigmountPath: "/etc/local_config_test.py"subPath: localconfig-test- name: testconfigmountPath: "/etc/local_config_produce.py"subPath: localconfig-producereadOnly: true- name: testsecretmountPath: "/etc/id_rsa"subPath: my_id_rsareadOnly: true- name: testsecretmountPath: "/etc/id_rsa.pub"subPath: my_id_rsa_pubreadOnly: truevolumes:- name: testconfigconfigMap:name: localconfig-filedefaultMode: 0660- name: testsecretsecret:secretName: mysecretdefaultMode: 0600
配置自动更新器 reloader
https://github.com/stakater/Reloader
what is reloader
A Kubernetes controller to watch changes in ConfigMap and Secrets and then restart pods for Deployment, StatefulSet and DaemonSet
How to use Reloader
## kind: Deployment
## metadata:
## annotations:
## #------ all(ConfigMap and/or Secret)
## reloader.stakater.com/auto: "true"
## #------ only configmap for name: "foo-configmap"
## configmap.reloader.stakater.com/reload: "foo-configmap"
## #------ many configmaps
## configmap.reloader.stakater.com/reload: "foo-configmap,bar-configmap,baz-configmap"
## #------ only secret for name: "foo-secret"
## secret.reloader.stakater.com/reload: "foo-secret"
## #------ many secrets
## secret.reloader.stakater.com/reload: "foo-secret,bar-secret,baz-secret"
## spec:
## template:
## metadata:
部署yaml配置
---
# Source: reloader/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:annotations:meta.helm.sh/release-namespace: "default"meta.helm.sh/release-name: "reloader"labels:app: reloader-reloaderchart: "reloader-1.0.51"release: "reloader"heritage: "Helm"app.kubernetes.io/managed-by: "Helm"name: reloader-reloadernamespace: default
---
# Source: reloader/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRole
metadata:annotations:meta.helm.sh/release-namespace: "default"meta.helm.sh/release-name: "reloader"labels:app: reloader-reloaderchart: "reloader-1.0.51"release: "reloader"heritage: "Helm"app.kubernetes.io/managed-by: "Helm"name: reloader-reloader-role
rules:- apiGroups:- ""resources:- secrets- configmapsverbs:- list- get- watch- apiGroups:- "apps"resources:- deployments- daemonsets- statefulsetsverbs:- list- get- update- patch- apiGroups:- "extensions"resources:- deployments- daemonsetsverbs:- list- get- update- patch- apiGroups:- "batch"resources:- cronjobsverbs:- list- get- apiGroups:- "batch"resources:- jobsverbs:- create- apiGroups:- ""resources:- eventsverbs:- create- patch
---
# Source: reloader/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBinding
metadata:annotations:meta.helm.sh/release-namespace: "default"meta.helm.sh/release-name: "reloader"labels:app: reloader-reloaderchart: "reloader-1.0.51"release: "reloader"heritage: "Helm"app.kubernetes.io/managed-by: "Helm"name: reloader-reloader-role-binding
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: reloader-reloader-role
subjects:- kind: ServiceAccountname: reloader-reloadernamespace: default
---
# Source: reloader/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:annotations:meta.helm.sh/release-namespace: "default"meta.helm.sh/release-name: "reloader"labels:app: reloader-reloaderchart: "reloader-1.0.51"release: "reloader"heritage: "Helm"app.kubernetes.io/managed-by: "Helm"group: com.stakater.platformprovider: stakaterversion: v1.0.51name: reloader-reloadernamespace: default
spec:replicas: 1revisionHistoryLimit: 2selector:matchLabels:app: reloader-reloaderrelease: "reloader"template:metadata:labels:app: reloader-reloaderchart: "reloader-1.0.51"release: "reloader"heritage: "Helm"app.kubernetes.io/managed-by: "Helm"group: com.stakater.platformprovider: stakaterversion: v1.0.51spec:containers:- image: "ghcr.io/stakater/reloader:v1.0.51"imagePullPolicy: IfNotPresentname: reloader-reloaderports:- name: httpcontainerPort: 9090livenessProbe:httpGet:path: /liveport: httptimeoutSeconds: 5failureThreshold: 5periodSeconds: 10successThreshold: 1initialDelaySeconds: 10readinessProbe:httpGet:path: /metricsport: httptimeoutSeconds: 5failureThreshold: 5periodSeconds: 10successThreshold: 1initialDelaySeconds: 10securityContext:{}securityContext: runAsNonRoot: truerunAsUser: 65534serviceAccountName: reloader-reloader