Secret详解

ConfigMap可以向Pod内部注入配置信息,但是使用kubectl describe可以很轻易的看到配置信息,所以这对于向pod中的应用传敏感数据时就不太适用了。因而k8s提供了一种Secret资源来将敏感信息实施转换后再保存,而后每次被注入到Pod容器时自动解码,完成信息的还原。
Secret资源是以非加密的形式存储于k8s的api-server后端的etcd中,即便做了转换其也不过是做了base64编码。

Secret的类型

ConfigMap的配置信息基本没有类别之分,但Secret有所不同,根据其用户存在类型的概念;

  • docker-registry:专用于让kubelet启动Pod时从私有镜像仓库pull镜像时,首先认证到Registry时使用;
  • tls:专门用于保存tls/ssl用到证书和配对儿的私钥;
  • generic:余下的通用类型

generic类型的Secret

gemeric通用类型; 可以存在子类型:

  • --type="kubernetes.io/basic-auth":适用于web端的basic认证
  • --type="kubernetes.io/rbd":适用于ceph认证
  • --type="kubernetes.io/ssh-auth":适用于认证到ssh服务器
generic示例1:

为msyql账号密码创建secret

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# 给mysql创建账号密码
root@k8s-master01:~/yaml/chapter06# kubectl create secret generic mysql-root-authn --from-literal=username=root --from-literal=password=mylinuxops.com
secret/mysql-root-authn created

# 获取mysql-root-authn
root@k8s-master01:~/yaml/chapter06# kubectl get secret mysql-root-authn -o yaml
apiVersion: v1
data:
  password: bXlsaW51eG9wcy5jb20=          # 此为base64编码后的
  username: cm9vdA==
kind: Secret
metadata:
  creationTimestamp: "2021-07-16T08:21:21Z"
  name: mysql-root-authn
  namespace: default
  resourceVersion: "216488"
  uid: 681cdb7d-73f8-428a-8443-a87ec30c5c05
type: Opaque

# 使用base64解码
root@k8s-master01:~/yaml/chapter06# echo "bXlsaW51eG9wcy5jb20=" | base64 -d
mylinuxops.com
generic示例2:

在为web服务创建basic认证时需要额外使用--type选项,来指定--type="kubernetes.io/basic-auth"

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# 创建secret资源
root@k8s-master01:~# kubectl create secret generic web-basic-authn --from-literal=username=devopser --from-literal=password=mylinuxops.com --type="ikubernetes.io/basic-auth"
secret/web-basic-authn created

# 查看详细信息,观察type字段
root@k8s-master01:~# kubectl get secrets web-basic-authn -o yaml
apiVersion: v1
data:
  password: bXlsaW51eG9wcy5jb20=
  username: ZGV2b3BzZXI=
kind: Secret
metadata:
  creationTimestamp: "2021-07-16T08:33:34Z"
  name: web-basic-authn
  namespace: default
  resourceVersion: "218171"
  uid: f04cf0f7-10c2-4b62-b41d-5c675be3daba
type: ikubernetes.io/basic-auth             # 此为kubernetes专用于basic认证所使用的。
其他事项:

另外,保存有专用于ServiceAccount的相关的token信息的Secret资源会使用资源注解来保存其使用场景。

1
2
3
4
5
kind: Secret
metadata:
  annotations:
   	kubernetes.io/service-account.name: node-controller
   	kubernetes.io/service-account.uid: b9f7e593-3e49-411c-87e2-dbd7ed9749c0

资源的元数据:除了name, namespace之外,常用的还有labels, annotations;

  1. annotation的名称遵循类似于labels的名称命名格式,但其数据长度不受限制;
  2. 它不能用于被标签选择器作为筛选条件;但常用于为那些仍处于Beta阶段的应用程序提供临时的配置接口;
  3. 管理命令:kubectl annotate TYPE/NAME KEY=VALUE, kubectl annotate TYPE/NAME KEY-

还有一种由kubeadm的bootstrap所使用的token专用的类型,它通常保存于kube-system名称空间,以bootstrap-token-为前缀。

  • --type="bootstrap.kubernetes.io/token"

tls类型secret

TLS类型是一种独特的类型,在创建secret的命令行中,除了类型标识的不同之外,它还需要使用专用的选项--cert--key

无论证书和私钥文件名是什么,它们会统一为:

  • tls.crt
  • tls.key
tls示例:

创建一个crt和key文件,将其做成tls类型的secret

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
root@k8s-master01:~/yaml/chapter06/certs2.d# (umask 077;openssl genrsa -out nginx.key 2048)
root@k8s-master01:~/yaml/chapter06/certs2.d# openssl req -new -x509 -key nginx.key -out nginx.crt -subj /C=CN/ST=Shanghai/L=Shanghai/O=DevOps/CN=www.mylinuxops.com
root@k8s-master01:~/yaml/chapter06/certs2.d# ls
nginx.crt  nginx.key

# 创建tls类型secret
root@k8s-master01:~/yaml/chapter06/certs2.d# kubectl create secret tls nginx-ssl --key=nginx.key --cert=nginx.crt
secret/nginx-ssl created

# 查看secret信息
root@k8s-master01:~/yaml/chapter06/certs2.d# kubectl get secret nginx-ssl -o yaml
apiVersion: v1
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURvekNDQW91Z0F3SUJBZ0lVQXd5WFovc3hKRGlVemxBdi9WSFR0ZVNXaXY0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lURUxNQWtHQTFVRUJoTUNRMDR4RVRBUEJnTlZCQWdNQ0ZOb1lXNW5hR0ZwTVJFd0R3WURWUVFIREFoVAphR0Z1WjJoaGFURVBNQTBHQTFVRUNnd0dSR1YyVDNCek1Sc3dHUVlEVlFRRERCSjNkM2N1Ylhsc2FXNTFlRzl3CmN5NWpiMjB3SGhjTk1qRXdOekUyTURrek1UTTJXaGNOTWpFd09ERTFNRGt6TVRNMldqQmhNUXN3Q1FZRFZRUUcKRXdKRFRqRVJNQThHQTFVRUNBd0lVMmhoYm1kb1lXa3hFVEFQQmdOVkJBY01DRk5vWVc1bmFHRnBNUTh3RFFZRApWUVFLREFaRVpYWlBjSE14R3pBWkJnTlZCQU1NRW5kM2R5NXRlV3hwYm5WNGIzQnpMbU52YlRDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU5idVBJN055QjlGWWtOTk1OTTV3blhrdVR0RVFnaEYKUzZVZVgrVVNtZ2VMZGgzemNnTEczVWRwY3BaSS92SGZ6WFlqK05VYVpNVFNrVVlqYU5GaXhzbzNaV1g5N0tFSwpPWXJsMnBFYnY3dno3KzRocTIwbjkvQzNtWDdkaHFrSFdydmFqRzA5Si9uakxNR2E3Mm1PdmxDcE5zSGdsUGdNClA4cEZ6LzdPQnZIUUkwdjZsRVdaVXJSOE1NcW1SY2ZaTGtPWjJ3bGFmUGJ5RXc4N21wRFVOK2sxdnZKcHV0RjAKRGRKMEdWZERZWE9YcTMxenBmbXVkb3RGbEp1NFFVSHI2QTVXM1A1bEVsY0ZSUVFFaG40ZzB6alhMdjVaM0RzNQpuVWwyLzdHaVczcFgrbVNTVDlZbm12aGdiQ0w5K1pBNFRub08yVjBuZjlET2FwOHNuYVlWRS9zQ0F3RUFBYU5UCk1GRXdIUVlEVlIwT0JCWUVGTXZlMDlvbUVJUy9Qb21CQW94ZDFkWXJwdDJNTUI4R0ExVWRJd1FZTUJhQUZNdmUKMDlvbUVJUy9Qb21CQW94ZDFkWXJwdDJNTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFLUDYwOEJwbkdCcXBXMitYL1BmREEyMTVQYlpIMERBc2RlL2RKN1FIanpzbWs2YnpleUhnVmd4CjJPSkFXckNiS2xZUW9MbEJtbjl2RnlwcGE4WFdOc0RGaDhadEM0U2UxSkZ4TjdNdzJtbXpWQ1RINFhwbnl3NngKVVlORlVyNC94YW9yTFdMMGhWRnJjNXhXQXJhQXdlRXFYZ2hVZEFLS3h4NUZtNUJHcTdwbFd4QzJnaVZmcythRQpYQXFjVDVubzM4VmdLMHRaQUVGTUJ4SG9Bd3Vib2Y5ajVDdFpiV212akxUV01tUmdwdjlTdUh4WmZ3bmZUeW9jCnhHSGJHWmtZSFowbm9SSlBlRjc1ZlVvbmdOQnVxdENEaEgyRkR0azJ6NWlJT0hldjJ6UGZBZ1pKYy9lZzd2b0MKb2tzWVFvQ1pxMGM1RU02Q3pCekI5TjJFTmZ4bTNDZz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMXU0OGpzM0lIMFZpUTAwdzB6bkNkZVM1TzBSQ0NFVkxwUjVmNVJLYUI0dDJIZk55CkFzYmRSMmx5bGtqKzhkL05kaVA0MVJwa3hOS1JSaU5vMFdMR3lqZGxaZjNzb1FvNWl1WGFrUnUvdS9QdjdpR3IKYlNmMzhMZVpmdDJHcVFkYXU5cU1iVDBuK2VNc3dacnZhWTYrVUtrMndlQ1UrQXcveWtYUC9zNEc4ZEFqUy9xVQpSWmxTdEh3d3lxWkZ4OWt1UTVuYkNWcDg5dklURHp1YWtOUTM2VFcrOG1tNjBYUU4wblFaVjBOaGM1ZXJmWE9sCithNTJpMFdVbTdoQlFldm9EbGJjL21VU1Z3VkZCQVNHZmlEVE9OY3UvbG5jT3ptZFNYYi9zYUpiZWxmNlpKSlAKMWllYStHQnNJdjM1a0RoT2VnN1pYU2QvME01cW55eWRwaFVUK3dJREFRQUJBb0lCQUZObUFnMlBmL1hTWUh5bworU2NkSkgzR2tMR1VuT0xFc01PVGM3WlpiM2M2QUUxQzU1eDRPZWk1M0FMQXRGeDZjU2xFY0F1UXdFVTNSN09sCmpjaWh3VzA1N1ppVDNUdm4wY2c1eElQRjlySWh4NW5wYXJGaWJ1enk4UmF2TXM5bjBTZFBlR255N3c0aHZuNHAKZG5qSk1NUHZ4UldaNVhRU25MWUtQTmtzYkxsclNhYm1QZi9qT1N6ZkdoQTlDUlhwcnlpOVBuQWxxY0lJSjV4UQpOOTdMVFk1TTRaUnp2aHNiUnlUb1JGa2JJeFBDai8wOWdrWTdWdDlHRnAyaHpCdmNkSmNJaVplRkFVdDVoUnJICllPM01zWVJXK09tZmROYm1jLy92T3hNQnhpbnF0U0ljcVBFYklDdmNRejV2NXNuU20zdXg5S1U2TVZoWldnOFQKVkhXR3VDRUNnWUVBKzl5SmRoZzhCN3A0WFBQdXR6RWZJZ2xNMFZIMGszcHV0ZktTdUl4dHllcXFkWURRcGY0VgpXR0hDK2grM2Vtd0VqWkNFdUZ2eWxKVDNIREpid29IOXJCcUc5RmJkVU1jN2tCRm50U2kyTmw4bmxlQnVWTHlNClJHQXdKaUdjOUFsWGxoZkcxU0M0WlpuTFNzM1Q1aHd6V3BRSEorNnZ5N0oydTk4cVBGcE9GTmtDZ1lFQTJuWloKU21qZUNZVmdyTG5BOGpObVFybXo4eGVkdEJoSjJHZncrdFQwQysxVFM5aXJVUjRYb2w4cFRyZjhDNXArY1M0cgo2d1dCeEFSajlFRzc2VXo3UytJZmwzbUo5bTJOYTdMRGhJTUF3YTlDWVZ4VXJ0VWVSS2NnQ3NSWERmaHBlcWtICmh3MlVQZHNnRDg4dTVVODl2SnUrQ21QekNYQ1B3RGpIQXEzYld2TUNnWUVBcWIxUHh3OCtKZGMrRnljdTByZUEKUytnSXBXbWVjMllvQnVlY2lsUGFDaUxsRHB2cUFuVGkzZFhGR2QwV1FxTlp6aTUvdzkvejlMOFFheWhsUHdscwpkUGpMeXhCZngzaitZM0hYZXZnZEZUZTc3ZjU3WFJCVldCK2JVNWVEdDlReit5dTdEUmdvTGhFZ09TSE9sVjZjCkhZZDE2eXVwdnBaZi91M0FBVHk3TXNFQ2dZQnNTaG44dm5yQnNYRzRiT050cTNqWFBvSXF6OXdHZDd1ekgrTGUKRTAxZDFDaGtBbVQ1Y3JjNGIzOWtXK0wrUlhqRDFhVkRmSmxVZHZDdEZTQjJod2hTRnlhZHlVdFA4Z0lXRHFqSQpPTC9aUW16ZklndUFGbmhJZzZkb2J1YlFNQURwSW54dXY1WnFDd0tiazVHbGJXQW02L1NKNWYyRkFsemZaY1dRCldHblJiUUtCZ1FEYWRuekZ0WUlvQ285aGhPdkl4RFhKeG1aMnU3NlJwUUJ5cXlYb3NzN2JUY1NqVHdPTGFMS2QKUjNWSm5kNWNiUTRhVEQxYzNPU0RFbXU0U1pjZUgxcUJFdjQ3MTZGL0RaZ2gxNnBYWnV1K0x0YUVBbWRJVkJjZApuOUxDcnM1Y3JQTVZyUm5zam5ydUpWc1NyWGJXNWdBK3F3MURoRjArWEhrK09EMXJQUXZhbGc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
  creationTimestamp: "2021-07-16T09:33:30Z"
  name: nginx-ssl
  namespace: default
  resourceVersion: "226423"
  uid: 7f79533a-db1a-49cd-9108-a3d4bf933672
type: kubernetes.io/tls

docker-registry类型secret

Docker Registry类型,也是独特类型:

1
2
3
4
5
kubectl create secret docker-registry my-secret \
    --docker-server=DOCKER_REGISTRY_SERVER \
    --docker-username=DOCKER_USER \
    --docker-password=DOCKER_PASSWORD \
    --docker-email=DOCKER_EMAIL

如果曾经访问过docker-registry,那么也能够从docker的认证文件中加载信息,这时使用--from-file选项:

1
2
3
4
# 通常认证信息保存在用户家目录下的.docker/config.json或着.dockercfg文件中
kubectl create secret docker-registry my-secret --from-file=~/.docker/config.json
# 或者
kubectl create secret docker-registry my-secret --from-file=$HOME/.dockercfg
docker-registry的使用方法

docker-registry通常是配置在容器拉取镜像时使用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@k8s-master01:~# kubectl explain pod.spec.imagePullSecrets
KIND:     Pod
VERSION:  v1

RESOURCE: imagePullSecrets <[]Object>

DESCRIPTION:
     ImagePullSecrets is an optional list of references to secrets in the same
     namespace to use for pulling any of the images used by this PodSpec. If
     specified, these secrets will be passed to individual puller
     implementations for them to use. For example, in the case of docker, only
     DockerConfig type secrets are honored. More info:
     https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod

     LocalObjectReference contains enough information to let you locate the
     referenced object inside the same namespace.

FIELDS:
   name <string>
     Name of the referent. More info:
     https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Secret资源,使用环境变量

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
containers:
- name: …
  image: …
  env:
  - name: <string>      		 # 变量名,其值来自于某Secret对象上的指定键的值;
    valueFrom:          		  # 键值引用; 
      secretKeyRef:
        name: <string>  			  # 引用的Secret对象的名称,需要与该Pod位于同一名称空间;
        key: <string>  			   # 引用的Secret对象上的键,其值将传递给环境变量;
        optional: <boolean>		 # 是否为可选引用;
  envFrom:             			    # 整体引用指定的Secret对象的全部键名和键值;
  - prefix: <string> 				    # 将所有键名引用为环境变量时统一添加的前缀;
secretRef:
  name: <string> 				    # 引用的Secret对象名称;
  optional: <boolean>				 # 是否为可选引用;

Secret资源使用示例

mysql加载root口令

1.创建MySQL资源清单,使用已创建的mysql-root-authn

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@k8s-master01:~/yaml/chapter06# vim secrets-env-demo.yaml
apiVersion: v1
kind: Pod
metadata:
  name: secret-env-demo
  namespace: default
spec:
  containers:
  - name: mariadb
    image: mariadb
    imagePullPolicy: IfNotPresent
    env:
    - name: MYSQL_ROOT_PASSWORD
      valueFrom:
        secretKeyRef:
          name: mysql-root-authn
          key: password

2.应用资源清单

1
2
3
4
5
6
root@k8s-master01:~/yaml/chapter06# kubectl apply -f secrets-env-demo.yaml
pod/secret-env-demo created

root@k8s-master01:~/yaml/chapter06# kubectl get pods secret-env-demo
NAME                        READY   STATUS    RESTARTS   AGE
secret-env-demo             1/1     Running   0          1m

3.验证

1
2
3
4
5
6
root@k8s-master01:~/yaml/chapter06# kubectl exec secret-env-demo -- mysql -uroot -pmylinuxops.com -e "show databases;"
Database
information_schema
mysql
performance_schema
sys

https虚拟主机示例

1.编写pod资源清单

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@k8s-master01:~/yaml/chapter06# vim secrets-volume-demo.yaml
apiVersion: v1
kind: Pod
metadata:
  name: secrets-volume-demo
  namespace: default
spec:
  containers:
  - name: ngxserver
    image: nginx:alpine
    volumeMounts:
    - name: nginxcerts
      mountPath: /etc/nginx/certs/
      readOnly: true
    - name: nginxconfs
      mountPath: /etc/nginx/conf.d/
      readOnly: true
  volumes:
  - name: nginxcerts
    secret:
      secretName: nginx-ssl
  - name: nginxconfs
    configMap:
      name: nginx-sslvhosts-confs
      optional: false

2.创建secret

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
root@k8s-master01:~/yaml/chapter06/certs2.d# (umask 077;openssl genrsa -out nginx.key 2048)
root@k8s-master01:~/yaml/chapter06/certs2.d# openssl req -new -x509 -key nginx.key -out nginx.crt -subj /C=CN/ST=Shanghai/L=Shanghai/O=DevOps/CN=www.mylinuxops.com
root@k8s-master01:~/yaml/chapter06/certs2.d# ls
nginx.crt  nginx.key

# 创建tls类型secret
root@k8s-master01:~/yaml/chapter06/certs2.d# kubectl create secret tls nginx-ssl --key=nginx.key --cert=nginx.crt
secret/nginx-ssl created

# 查看secret信息
root@k8s-master01:~/yaml/chapter06/certs2.d# kubectl get secret nginx-ssl -o yaml
apiVersion: v1
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURvekNDQW91Z0F3SUJBZ0lVQXd5WFovc3hKRGlVemxBdi9WSFR0ZVNXaXY0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lURUxNQWtHQTFVRUJoTUNRMDR4RVRBUEJnTlZCQWdNQ0ZOb1lXNW5hR0ZwTVJFd0R3WURWUVFIREFoVAphR0Z1WjJoaGFURVBNQTBHQTFVRUNnd0dSR1YyVDNCek1Sc3dHUVlEVlFRRERCSjNkM2N1Ylhsc2FXNTFlRzl3CmN5NWpiMjB3SGhjTk1qRXdOekUyTURrek1UTTJXaGNOTWpFd09ERTFNRGt6TVRNMldqQmhNUXN3Q1FZRFZRUUcKRXdKRFRqRVJNQThHQTFVRUNBd0lVMmhoYm1kb1lXa3hFVEFQQmdOVkJBY01DRk5vWVc1bmFHRnBNUTh3RFFZRApWUVFLREFaRVpYWlBjSE14R3pBWkJnTlZCQU1NRW5kM2R5NXRlV3hwYm5WNGIzQnpMbU52YlRDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU5idVBJN055QjlGWWtOTk1OTTV3blhrdVR0RVFnaEYKUzZVZVgrVVNtZ2VMZGgzemNnTEczVWRwY3BaSS92SGZ6WFlqK05VYVpNVFNrVVlqYU5GaXhzbzNaV1g5N0tFSwpPWXJsMnBFYnY3dno3KzRocTIwbjkvQzNtWDdkaHFrSFdydmFqRzA5Si9uakxNR2E3Mm1PdmxDcE5zSGdsUGdNClA4cEZ6LzdPQnZIUUkwdjZsRVdaVXJSOE1NcW1SY2ZaTGtPWjJ3bGFmUGJ5RXc4N21wRFVOK2sxdnZKcHV0RjAKRGRKMEdWZERZWE9YcTMxenBmbXVkb3RGbEp1NFFVSHI2QTVXM1A1bEVsY0ZSUVFFaG40ZzB6alhMdjVaM0RzNQpuVWwyLzdHaVczcFgrbVNTVDlZbm12aGdiQ0w5K1pBNFRub08yVjBuZjlET2FwOHNuYVlWRS9zQ0F3RUFBYU5UCk1GRXdIUVlEVlIwT0JCWUVGTXZlMDlvbUVJUy9Qb21CQW94ZDFkWXJwdDJNTUI4R0ExVWRJd1FZTUJhQUZNdmUKMDlvbUVJUy9Qb21CQW94ZDFkWXJwdDJNTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFLUDYwOEJwbkdCcXBXMitYL1BmREEyMTVQYlpIMERBc2RlL2RKN1FIanpzbWs2YnpleUhnVmd4CjJPSkFXckNiS2xZUW9MbEJtbjl2RnlwcGE4WFdOc0RGaDhadEM0U2UxSkZ4TjdNdzJtbXpWQ1RINFhwbnl3NngKVVlORlVyNC94YW9yTFdMMGhWRnJjNXhXQXJhQXdlRXFYZ2hVZEFLS3h4NUZtNUJHcTdwbFd4QzJnaVZmcythRQpYQXFjVDVubzM4VmdLMHRaQUVGTUJ4SG9Bd3Vib2Y5ajVDdFpiV212akxUV01tUmdwdjlTdUh4WmZ3bmZUeW9jCnhHSGJHWmtZSFowbm9SSlBlRjc1ZlVvbmdOQnVxdENEaEgyRkR0azJ6NWlJT0hldjJ6UGZBZ1pKYy9lZzd2b0MKb2tzWVFvQ1pxMGM1RU02Q3pCekI5TjJFTmZ4bTNDZz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMXU0OGpzM0lIMFZpUTAwdzB6bkNkZVM1TzBSQ0NFVkxwUjVmNVJLYUI0dDJIZk55CkFzYmRSMmx5bGtqKzhkL05kaVA0MVJwa3hOS1JSaU5vMFdMR3lqZGxaZjNzb1FvNWl1WGFrUnUvdS9QdjdpR3IKYlNmMzhMZVpmdDJHcVFkYXU5cU1iVDBuK2VNc3dacnZhWTYrVUtrMndlQ1UrQXcveWtYUC9zNEc4ZEFqUy9xVQpSWmxTdEh3d3lxWkZ4OWt1UTVuYkNWcDg5dklURHp1YWtOUTM2VFcrOG1tNjBYUU4wblFaVjBOaGM1ZXJmWE9sCithNTJpMFdVbTdoQlFldm9EbGJjL21VU1Z3VkZCQVNHZmlEVE9OY3UvbG5jT3ptZFNYYi9zYUpiZWxmNlpKSlAKMWllYStHQnNJdjM1a0RoT2VnN1pYU2QvME01cW55eWRwaFVUK3dJREFRQUJBb0lCQUZObUFnMlBmL1hTWUh5bworU2NkSkgzR2tMR1VuT0xFc01PVGM3WlpiM2M2QUUxQzU1eDRPZWk1M0FMQXRGeDZjU2xFY0F1UXdFVTNSN09sCmpjaWh3VzA1N1ppVDNUdm4wY2c1eElQRjlySWh4NW5wYXJGaWJ1enk4UmF2TXM5bjBTZFBlR255N3c0aHZuNHAKZG5qSk1NUHZ4UldaNVhRU25MWUtQTmtzYkxsclNhYm1QZi9qT1N6ZkdoQTlDUlhwcnlpOVBuQWxxY0lJSjV4UQpOOTdMVFk1TTRaUnp2aHNiUnlUb1JGa2JJeFBDai8wOWdrWTdWdDlHRnAyaHpCdmNkSmNJaVplRkFVdDVoUnJICllPM01zWVJXK09tZmROYm1jLy92T3hNQnhpbnF0U0ljcVBFYklDdmNRejV2NXNuU20zdXg5S1U2TVZoWldnOFQKVkhXR3VDRUNnWUVBKzl5SmRoZzhCN3A0WFBQdXR6RWZJZ2xNMFZIMGszcHV0ZktTdUl4dHllcXFkWURRcGY0VgpXR0hDK2grM2Vtd0VqWkNFdUZ2eWxKVDNIREpid29IOXJCcUc5RmJkVU1jN2tCRm50U2kyTmw4bmxlQnVWTHlNClJHQXdKaUdjOUFsWGxoZkcxU0M0WlpuTFNzM1Q1aHd6V3BRSEorNnZ5N0oydTk4cVBGcE9GTmtDZ1lFQTJuWloKU21qZUNZVmdyTG5BOGpObVFybXo4eGVkdEJoSjJHZncrdFQwQysxVFM5aXJVUjRYb2w4cFRyZjhDNXArY1M0cgo2d1dCeEFSajlFRzc2VXo3UytJZmwzbUo5bTJOYTdMRGhJTUF3YTlDWVZ4VXJ0VWVSS2NnQ3NSWERmaHBlcWtICmh3MlVQZHNnRDg4dTVVODl2SnUrQ21QekNYQ1B3RGpIQXEzYld2TUNnWUVBcWIxUHh3OCtKZGMrRnljdTByZUEKUytnSXBXbWVjMllvQnVlY2lsUGFDaUxsRHB2cUFuVGkzZFhGR2QwV1FxTlp6aTUvdzkvejlMOFFheWhsUHdscwpkUGpMeXhCZngzaitZM0hYZXZnZEZUZTc3ZjU3WFJCVldCK2JVNWVEdDlReit5dTdEUmdvTGhFZ09TSE9sVjZjCkhZZDE2eXVwdnBaZi91M0FBVHk3TXNFQ2dZQnNTaG44dm5yQnNYRzRiT050cTNqWFBvSXF6OXdHZDd1ekgrTGUKRTAxZDFDaGtBbVQ1Y3JjNGIzOWtXK0wrUlhqRDFhVkRmSmxVZHZDdEZTQjJod2hTRnlhZHlVdFA4Z0lXRHFqSQpPTC9aUW16ZklndUFGbmhJZzZkb2J1YlFNQURwSW54dXY1WnFDd0tiazVHbGJXQW02L1NKNWYyRkFsemZaY1dRCldHblJiUUtCZ1FEYWRuekZ0WUlvQ285aGhPdkl4RFhKeG1aMnU3NlJwUUJ5cXlYb3NzN2JUY1NqVHdPTGFMS2QKUjNWSm5kNWNiUTRhVEQxYzNPU0RFbXU0U1pjZUgxcUJFdjQ3MTZGL0RaZ2gxNnBYWnV1K0x0YUVBbWRJVkJjZApuOUxDcnM1Y3JQTVZyUm5zam5ydUpWc1NyWGJXNWdBK3F3MURoRjArWEhrK09EMXJQUXZhbGc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
  creationTimestamp: "2021-07-16T09:33:30Z"
  name: nginx-ssl
  namespace: default
  resourceVersion: "226423"
  uid: 7f79533a-db1a-49cd-9108-a3d4bf933672
type: kubernetes.io/tls

3.创建configMap资源

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# nginx配置文件已经准备好,此处创建configMap资源
root@k8s-master01:~/yaml/chapter06/nginx-ssl-conf.d# ls
myserver.conf  myserver-gzip.cfg  myserver-status.cfg

# 指定当前路径下的所有文件创建出configmap
root@k8s-master01:~/yaml/chapter06/nginx-ssl-conf.d# kubectl create configmap nginx-sslvhosts-confs --from-file=./
configmap/nginx-sslvhosts-confs created

# 查看configmap相关信息
root@k8s-master01:~/yaml/chapter06/nginx-ssl-conf.d# kubectl describe configmap nginx-sslvhosts-confs
Name:         nginx-sslvhosts-confs
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
myserver-gzip.cfg:
----
gzip on;
gzip_comp_level 5;
gzip_proxied     expired no-cache no-store private auth;
gzip_types text/plain text/css application/xml text/javascript;

myserver-status.cfg:
----
location /nginx-status {
    stub_status on;
    access_log off;
}

myserver.conf:
----
server {
    listen 443 ssl;
    server_name www.mylinuxops.com;

    ssl_certificate /etc/nginx/certs/tls.crt;
    ssl_certificate_key /etc/nginx/certs/tls.key;

    ssl_session_timeout 5m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;

    include /etc/nginx/conf.d/myserver-*.cfg;

    location / {
        root /usr/share/nginx/html;
    }
}

server {
    listen 80;
    server_name www.mylinuxops.com;
    return 301 https://$host$request_uri;
}

Events:  <none>

4.使用配置清单创建出pod

1
2
3
4
5
6
root@k8s-master01:~/yaml/chapter06# kubectl apply -f secrets-volume-demo.yaml
pod/secrets-volume-demo created

root@k8s-master01:~/yaml/chapter06# kubectl get pods secrets-volume-demo -o wide
NAME                  READY   STATUS    RESTARTS   AGE     IP            NODE         NOMINATED NODE   READINESS GATES
secrets-volume-demo   1/1     Running   0          7m18s   10.244.3.18   k8s-node03   <none>           <none>

5.验证ssl

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# 验证443端口已经监听
root@k8s-master01:~/yaml/chapter06# kubectl exec secrets-volume-demo -- netstat -tnl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN


# 使用curl访问,正常打开
root@k8s-master01:~/yaml/chapter06/certs2.d# curl -k -H "Host:www.mylinuxops.com"  https://10.244.3.18:443       
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>