系统整理K8S的配置管理实战-建议收藏系列( 四 )

挂载,先搞一个模版dp
[root@master01 secret-file]# kubectl create deployment alicloud-private-nginx --image=registry.cn-hangzhou.aliyuncs.com/changwu/nginx:1.7.9-nettools --dry-run=client -oyaml修改添加imagePullSecrets配置
apiVersion: apps/v1kind: Deploymentmetadata:creationTimestamp: nulllabels:app: alicloud-private-nginxname: alicloud-private-nginxspec:replicas: 1selector:matchLabels:app: alicloud-private-nginxstrategy: {}template:metadata:creationTimestamp: nulllabels:app: alicloud-private-nginxspec:imagePullSecrets:- name: brm-alicloud-docker-secretcontainers:- image: registry.cn-hangzhou.aliyuncs.com/changwu/nginx:1.7.9-nettoolsname: nginxresources: {}status: {}验证的话就去 kubectl get pod -owide即可
2.2.2、管理https证书生成私钥和crt
[root@master01 https]# openssl req -x509 -nodes -days 3650 \> -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=test.com"Generating a 2048 bit RSA private key....................................................................+++...........+++writing new private key to 'tls.key'-----[root@master01 https]# lstls.crttls.key将key和cry托管进secret
[root@master01 https]# kubectl create secret tls https-nginx-tls-test-secret -n default --key=tls.key --cert=tls.crtsecret/https-nginx-tls-test-secret created查看
[root@master01 https]# kubectl get secrets https-nginx-tls-test-secret -oyamlapiVersion: v1data:tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1R1lrWTJRCjN4VUpQV1hVR0lqM2VVYnhTc0hFZ2lyZDlJalBZL1pwZEsxWittbmNHTWMyNW41aVhoUEs1UG1ZcjYrcAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1V3AzbUtRNHJkZG1CZGplMjJpMjR1bU5IUGd2STJBRGlEalAKNXBTb2hRYWRkZVZYRDJFZWdlWFRTTHY3Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0Kkind: Secretmetadata:creationTimestamp: "2022-04-06T00:25:33Z"name: https-nginx-tls-test-secretnamespace: defaultresourceVersion: "848213"uid: afa127bb-4a3a-4eb9-9d55-8cd50af5b3f4type: kubernetes.io/tls配置到ingress中(不是很推荐直接在ingress中配置https,通常会将https配置在ingress的上一层的SLB代理中)
apiVersion: networking.k8s.io/v1kind: Ingressmetadata:name: simple-tls-ingressspec:ingressClassName: nginxrules:- host: https-test.com # 配置域名,可以不写,匹配*,或者写 *.bar.comhttp:paths: # 相当于nginx的location,同一个host可以配置多个path- path: /pathType: Prefixbackend:service:name: nginx-svcport:number: 80tls:- secretName: https-nginx-tls-test-secret验证

系统整理K8S的配置管理实战-建议收藏系列

文章插图
2.2.3、不可变的secret与Kind同级 , 设置参数immutable=true即可

推荐阅读