(1). Secret

K8S提供Secret来提供对敏感数据的配置.

(2). test-secret.yml

apiVersion: v1
kind: Secret
metadata:
  name: env-secret-config
type: Opaque
# data类型要预先base64(echo -n "root" | base64)
# data: 
#  DATA_SOURCE_USER_NAME: cm9vdAo=
#  DATA_SOURCE_USER_PWD: cm9vdAo=
stringData:
  DATA_SOURCE_USER_NAME: root
  DATA_SOURCE_USER_PWD: "111111"
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: env-config
data:
  DATA_SOURCE_URL: jdbc:mysql://mysql-0.mysql:3306/test
---
apiVersion: v1
kind: Pod
metadata:
  name: test-configmap-pod
spec:
  containers:
    - name: test-configmap
      image: busybox:latest
      command: [ "/bin/tail", "-f", "/etc/hostname" ]
      envFrom:
        - configMapRef:
            name: env-config  # 引用另外一个configmap的名称
        - secretRef:
            name: env-secret-config  # 引用另一个secret的名称

(3). 发布配置

# 应用配置
lixin-macbook:k8s-test lixin$ kubectl apply -f test-secret.yml
secret/env-secret-config created
configmap/env-config created
pod/test-configmap-pod created

# 查看secret/configmap
lixin-macbook:k8s-test lixin$ kubectl get secret,configmap
NAME                         TYPE                                  DATA   AGE
secret/default-token-n29nk   kubernetes.io/service-account-token   3      47h
secret/env-secret-config     Opaque                                2      32s

NAME                         DATA   AGE
configmap/env-config         1      32s
configmap/kube-root-ca.crt   1      47h


# 查看secret内容(数据是隐藏了的)
lixin-macbook:k8s-test lixin$ kubectl describe secret env-secret-config
Name:         env-secret-config
Namespace:    default
Labels:       <none>
Annotations:  <none>
Type:  Opaque
Data
====
DATA_SOURCE_USER_NAME:  4 bytes
DATA_SOURCE_USER_PWD:   6 bytes

# 通过kubectl get secret还是可以看到隐藏的内容的
lixin-macbook:k8s-test lixin$ kubectl get secret env-secret-config -o yaml
apiVersion: v1
data:
  DATA_SOURCE_USER_NAME: cm9vdA==
  DATA_SOURCE_USER_PWD: MTExMTEx
kind: Secret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"env-secret-config","namespace":"default"},"stringData":{"DATA_SOURCE_USER_NAME":"root","DATA_SOURCE_USER_PWD":"111111"},"type":"Opaque"}
  creationTimestamp: "2021-01-18T06:39:41Z"
  managedFields:
  - apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
      f:data:
        .: {}
        f:DATA_SOURCE_USER_NAME: {}
        f:DATA_SOURCE_USER_PWD: {}
      f:metadata:
        f:annotations:
          .: {}
          f:kubectl.kubernetes.io/last-applied-configuration: {}
      f:type: {}
    manager: kubectl-client-side-apply
    operation: Update
    time: "2021-01-18T06:39:41Z"
  name: env-secret-config
  namespace: default
  resourceVersion: "21128"
  uid: 088b0c5b-d496-4a1e-b30d-e25ffb123848
type: Opaque

(4). 进入容器查看环境变量


# 查看pods,svc
lixin-macbook:k8s-test lixin$ kubectl get pods,svc
NAME                     READY   STATUS              RESTARTS   AGE
pod/test-configmap-pod   0/1     ContainerCreating   0          9s

NAME                 TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
service/kubernetes   ClusterIP   10.96.0.1    <none>        443/TCP   47h

# 进入容器内部
lixin-macbook:k8s-test lixin$ kubectl exec  test-configmap-pod  -it -- /bin/sh
# 打印环境变量
/ # printenv
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
HOSTNAME=test-configmap-pod
SHLVL=1
DATA_SOURCE_URL=jdbc:mysql://mysql-0.mysql:3306/test
HOME=/root
TERM=xterm
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
DATA_SOURCE_USER_PWD=111111
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_SERVICE_HOST=10.96.0.1
PWD=/
DATA_SOURCE_USER_NAME=root