Kubernetes配置管理:ConfigMap与Secret
Kubernetes配置管理:ConfigMap与Secret
ConfigMap概述
ConfigMap用于存储非敏感的配置数据,可以以环境变量或卷挂载的方式注入容器。
创建ConfigMap
从字面值创建
kubectl create configmap app-config \
--from-literal=DB_HOST=mysql \
--from-literal=DB_PORT=3306 \
--from-literal=APP_ENV=production
从文件创建
# 创建配置文件
cat > config.properties <<EOF
database.host=mysql
database.port=3306
database.name=myapp
redis.host=redis
EOF
kubectl create configmap app-config --from-file=config.properties
从目录创建
kubectl create configmap app-config --from-file=./config/
YAML声明式
# configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: app-config
data:
DB_HOST: "mysql"
DB_PORT: "3306"
DB_NAME: "myapp"
config.properties: |
database.host=mysql
database.port=3306
redis.host=redis
nginx.conf: |
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://backend:8080;
}
}
使用ConfigMap
环境变量注入
apiVersion: v1
kind: Pod
metadata:
name: app-pod
spec:
containers:
- name: app
image: myapp:1.0
envFrom:
- configMapRef:
name: app-config
env:
- name: SPECIAL_KEY
valueFrom:
configMapKeyRef:
name: app-config
key: DB_HOST
卷挂载
apiVersion: v1
kind: Pod
metadata:
name: app-pod
spec:
containers:
- name: app
image: myapp:1.0
volumeMounts:
- name: config-volume
mountPath: /app/config
volumes:
- name: config-volume
configMap:
name: app-config
Secret概述
Secret用于存储敏感信息,如密码、令牌、证书等。数据以Base64编码存储。
创建Secret
从字面值创建
kubectl create secret generic db-secret \
--from-literal=username=admin \
--from-literal=password='S3cr3tP@ss'
从文件创建
kubectl create secret tls tls-secret \
--cert=./tls.crt \
--key=./tls.key
YAML声明式
# secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: db-secret
type: Opaque
data:
username: YWRtaW4= # base64编码的"admin"
password: UzNjcjN0UEBzcz== # base64编码的"S3cr3tP@ss"
# 生成Base64编码
echo -n "admin" | base64
echo -n "S3cr3tP@ss" | base64
使用Secret
环境变量注入
apiVersion: v1
kind: Pod
metadata:
name: app-pod
spec:
containers:
- name: app
image: myapp:1.0
env:
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: db-secret
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-secret
key: password
卷挂载
apiVersion: v1
kind: Pod
metadata:
name: app-pod
spec:
containers:
- name: app
image: myapp:1.0
volumeMounts:
- name: secret-volume
mountPath: /app/secrets
readOnly: true
volumes:
- name: secret-volume
secret:
secretName: db-secret
实践:完整配置管理
# 应用配置
apiVersion: v1
kind: ConfigMap
metadata:
name: webapp-config
data:
APP_NAME: "webapp"
APP_ENV: "production"
LOG_LEVEL: "info"
config.json: |
{
"database": {
"host": "mysql-service",
"port": 3306
},
"redis": {
"host": "redis-service",
"port": 6379
}
}
nginx.conf: |
upstream backend {
server app-service:8080;
}
server {
listen 80;
location / {
proxy_pass http://backend;
}
}
---
# 敏感配置
apiVersion: v1
kind: Secret
metadata:
name: webapp-secret
type: Opaque
data:
DB_PASSWORD: cEBzc3cwcmQ=
REDIS_PASSWORD: cmVkaXNwYXNz
JWT_SECRET: and0c2VjcmV0a2V5
---
# Deployment引用配置
apiVersion: apps/v1
kind: Deployment
metadata:
name: webapp
spec:
replicas: 3
selector:
matchLabels:
app: webapp
template:
metadata:
labels:
app: webapp
spec:
containers:
- name: webapp
image: myapp:1.0
envFrom:
- configMapRef:
name: webapp-config
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: webapp-secret
key: DB_PASSWORD
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: webapp-secret
key: REDIS_PASSWORD
volumeMounts:
- name: config-volume
mountPath: /app/config
volumes:
- name: config-volume
configMap:
name: webapp-config
配置热更新
# 更新ConfigMap
kubectl apply -f configmap.yaml
# 更新Secret
kubectl apply -f secret.yaml
# 重启Pod使配置生效(卷挂载方式会自动更新)
kubectl rollout restart deployment webapp
常用命令
# ConfigMap操作
kubectl get configmap
kubectl describe configmap app-config
kubectl get configmap app-config -o yaml
# Secret操作
kubectl get secret
kubectl describe secret db-secret
kubectl get secret db-secret -o jsonpath='{.data.password}' | base64 -d
最佳实践
# 1. 使用kubectl create命令创建(自动Base64编码)
kubectl create secret generic mysecret --from-literal=password=mypassword
# 2. 使用sealed-secrets加密敏感配置
# 3. 使用external-secrets从外部密钥管理系统获取
# 4. 限制RBAC权限,只允许必要用户访问Secret
总结
ConfigMap和Secret是Kubernetes配置管理的核心组件。正确使用它们可以实现配置与代码分离,提高应用的可维护性和安全性。