This is the 11th day of my participation in Gwen Challenge

As a supplement to the previous article, secret can be used in portal containers using environment variables and volumes, just like ConfigMap. Context variables are suitable for scenarios where passwords need to be entered on the command line, whereas volume is suitable for scenarios where files are used for remote authentication.

Use secret for environment variables

Create pods from the yaml file test-secret-env.yaml

apiVersion: v1
kind: Pod
metadata:
  name: test-secret-env
spec:
  containers:
    - name: test-secret-env
      image: alpine
      imagePullPolicy: IfNotPresent
      command: [ "/bin/sh", "-c", "echo login to as user ${SUPERUSER} with password ${PASSWORD};env" ]
      env:
        - name: SUPERUSER
          valueFrom:
            secretKeyRef:
              name: test-secret-3
              key: superuser
        - name: PASSWORD
          valueFrom:
            secretKeyRef:
              name: test-secret-3
              key: password
      envFrom:
        - secretRef:
            name: test-secret-2
  restartPolicy: Never

Copy the code

The format is similar to ConfigMap, and there are two ways to import a single file or a whole file.

Create pod and view logs

[root@k8s-master Secret]# kubectl logs test-secret-env login to as user admin with password Q%FvqS$*F$k^6i secret1=d23hehuye8rq340p98du312rpur9er3eru038dfh3ry2098iuerewriu32987er98er Secret2 = jp3oiur98sd7re = er = 23 r - sdf13i4% (eiru2p398 (eur1p8u + o3iru2o3 KUBERNETES_PORT = TCP: / / 10.96.0.1:443 KUBERNETES_SERVICE_PORT=443 HOSTNAME=test-secret-env SHLVL=1 HOME=/root MYNGINX_SERVICE_SERVICE_PORT_HTTP=8080 MYNGINX_SERVICE_SERVICE_HOST = 10.97.205.233 MYNGINX_SERVICE_PORT_8080_TCP_ADDR = 10.97.205.233 SUPERUSER = admin MYNGINX_SERVICE_PORT_8080_TCP_PORT = 8080 KUBERNETES_PORT_443_TCP_ADDR = 10.96.0.1 MYNGINX_SERVICE_PORT_8080_TCP_PROTO = TCP PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin MYNGINX_SERVICE_SERVICE_PORT=8080 MYNGINX_SERVICE_PORT = TCP: / / 10.97.205.233:8080 KUBERNETES_PORT_443_TCP_PORT = 443 KUBERNETES_PORT_443_TCP_PROTO = TCP KUBERNETES_SERVICE_PORT_HTTPS MYNGINX_SERVICE_PORT_8080_TCP = TCP: / / 10.97.205.233-8080 = 443 KUBERNETES_PORT_443_TCP = TCP: / / 10.96.0.1:443 KUBERNETES_SERVICE_HOST = 10.96.0.1 PWD = / PASSWORD = Q % FvqS $* $k F ^ 6 ICopy the code

Two points to make:

The content of secret has been base64 decoded. The content of the two secret files seems to have a new line character. Note that if you create secret files, you must remove the newline after each line.

Modify the file in the following way and create Secret again. Echo -n removes trailing newlines.

[root@k8s-master Secret]# echo -n "d23hehuye8rq340p98du312rpur9er3eru038dfh3ry2098iuerewriu32987er98er" > secret1
[root@k8s-master Secret]# echo -n "jp3oiur98sd7re=er=23r-sdf13i4%(eiru2p398(eur1p8u+o3iru2o3" > secret2
[root@k8s-master Secret]# kubectl delete secret/test-secret-2
secret "test-secret-2" deleted
[root@k8s-master Secret]# kubectl delete pod test-secret-env
pod "test-secret-env" deleted
[root@k8s-master Secret]# kubectl create secret generic test-secret-2 --from-file=secret1 --from-file=secret2
secret/test-secret-2 created
[root@k8s-master Secret]# kubectl apply -f test-secret-env.yaml
pod/test-secret-env created
[root@k8s-master Secret]# kubectl logs test-secret-env
login to as user admin with password Q%FvqS$*F$k^6i
secret1=d23hehuye8rq340p98du312rpur9er3eru038dfh3ry2098iuerewriu32987er98er
secret2=jp3oiur98sd7re=er=23r-sdf13i4%(eiru2p398(eur1p8u+o3iru2o3
...
...

Copy the code

Volume using secret

Create pods from the yaml file test-secret-volume.yaml

apiVersion: v1 kind: Pod metadata: name: test-secret-volume spec: containers: - name: test-secret-volume image: Alpine Command: ["/bin/sh","-c","ping 8.8.8.8"] volumeMounts: -name: secret-volume mountPath: /etc/secret readOnly: true volumes: - name: secret-volume secret: secretName: test-secret-2 restartPolicy: NeverCopy the code

This is similar to ConfigMap, except that readOnly: true is added to prevent the container from modifying the file.

After successful creation, enter the container and find that the two files have been synchronized

[root@k8s-master Secret]# kubectl exec test-secret-volume -it -- /bin/sh / # cd /etc/secret/ /etc/secret # ls -al total 0 drwxrwxrwt 3 root root 120 May 10 12:07 . drwxr-xr-x 1 root root 20 May 10 12:07 .. drwxr-xr-x 2 root root 80 May 10 12:07 .. 2020_05_10_12_07_22.158909929 LRWXRWXRWX 1 root root 31 May 10 12:07.. data -> .. 2020_05_10_12_07_22.158909929 LRWXRWXRWX 1 root root 14 May 10 12:07 secret1 ->.. data/secret1 lrwxrwxrwx 1 root root 14 May 10 12:07 secret2 -> .. data/secret2 /etc/secret # cat secret1 d23hehuye8rq340p98du312rpur9er3eru038dfh3ry2098iuerewriu32987er98er/etc/secret # /etc/secret # cat secret2 jp3oiur98sd7re=er=23r-sdf13i4%(eiru2p398(eur1p8u+o3iru2o3/etc/secret #Copy the code

Hot update is also supported because the volume is run.

K8s also has a special secret that docker uses to pull images from private repositories.

DockerHub and Google GCR are the two most used Docker image warehouse, if it is a public warehouse image, you can directly pull, and if it is a user’s personal private warehouse, must be logged in to pull, otherwise there will be ImagePullBackOff error.

DockerHub provides the Docker login command to generate a personal information file for authentication locally, so that later docker will not fail to pull private images on the machine. The following

[root@k8s-node1 ~]# docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: victor2019
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

Copy the code

If you want K8S to be able to pull private images, you need to store this authentication information in K8S secret.