Kubernetes Configuration

--- lang: zh-tw title: Kubernetes Configuration tags: K8s --- # Configuration + ConfigMap + Secret ## ConfigMap + 用來存放非機密性的數據保存到key-value中，也可以用作環境變數、command 參數或Storage Volume的配置，或是使用Mount config檔案的方式，例如：nginx.conf, redis.conf + 使用`data`區域來儲存key和對應的value ### ConfigMap Template 生成ConfigMap資源，透過`metadata.name`匹配 ```yaml= apiVersion: v1 kind: ConfigMap metadata: name: game-config data: ## MySQL MYSQL_HOST: "mysql" MYSQL_PORT: "3306" MYSQL_DATABASE: "game" ## Redis REDIS_HOST: "redis" REDIS_PORT: "6379" ``` ### 與ConfigMap配對的Deployment ```yaml= apiVersion: apps/v1 kind: Deployment metadata: name: game spec: replicas: 1 selector: matchLabels: app: game template: metadata: labels: app: game spec: containers: - name: game image: gcr.io/game envFrom: - configMapRef: name: game-config ``` ### ConfigMap Template 做為nginx.conf檔案 ```yaml= apiVersion: v1 kind: ConfigMap metadata: name: nginx-map data: test.conf: | server { listen 80; server_name zxc.com; location / { root /home/nginx_html ; index index.html index.htm; } } test1.conf: | server { listen 80; server_name abc.com; location / { root /home/nginx_html ; index index1.html index1.htm; } } ``` ### 與ConfigMap匹配的Nginx Deployment ```yaml= apiVersion: apps/v1 kind: Deployment metadata: name: nginx spec: replicas: 2 selector: matchLabels: service: http-server template: metadata: labels: service: http-server spec: containers: - name: nginx image: gcr.io/nginx/nginx ports: - containerPort: 80 volumeMounts: - mountPath: /etc/nginx/conf.d readOnly: true name: deployment-nginx-conf volumes: - name: deployment-nginx-conf configMap: name: nginx-map # replace ConfigMap `nginx-conf` on /etc/nginx ``` ## Secret + 用來保存敏感訊息，如密碼、Oauth token、SSH private key + 使用Secret，Pod可以用下列三種方式之一引用： 1. 掛載到一個或多個容器上的Volume 2. 作為容器的環境變數 3. 作為Pod拉取Image時使用 ### Secret Template ```yaml= apiVersion: v1 ## API 版本 kind: Secret ## 元件種類 metadata: name: mysecret ## Secret 名稱 type: Opaque ## 是一個map結構(key-value)，其中vlaue要求以base64格式編碼 data: ## 存放隱私資料，以「key:value」呈現 username: YWRtaW4= password: MWYyZDFlMmU2N2Rm ``` ### 引用Secret ```yaml= apiVersion: v1 kind: Pod metadata: name: secret-env-pod spec: containers: - name: mycontainer image: redis env: - name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret key: username - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password restartPolicy: Never ```