有些情况下,出于管理的需要,关键的生产环境的密码等只能运维工程师知道。而不允许告诉开发工程师。Secret能很好的解决这个问题。举个例子,生产环境要用到MySQL。
| 数据库名 | 用户名 | 密码 |
|---|---|---|
| playground | root | root |
编写yaml文件
playground-secret.yaml
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: "playground-secret"
namespace: "playground"
data:
mysql-db-name: "cGxheWdyb3VuZA==" # echo -n "playground" | base64 结果 "cGxheWdyb3VuZA=="
mysql-username: "cm9vdA==" # echo -n "root" | base64 结果 "cm9vdA=="
mysql-password: "cm9vdA==" # echo -n "root" | base64 结果 "cm9vdA=="
创建之
kubectl apply -f playground-secret.yaml
使用
apiVersion: v1
kind: Pod
metadata:
name: playground-pod
namespace: "playground"
labels:
app: "playground"
spec:
volumes:
- name: log
hostPath:
path: "/var/log"
containers:
- name: "app"
image: "10.211.55.6:5000/yingzhuo/playground:latest"
imagePullPolicy: Always
env:
- name: MYSQL_DB_NAME
valueFrom:
secretKeyRef:
name: "playground-secret"
key: "mysql-db-name"
optional: false
- name: MYSQL_USERNAME
valueFrom:
secretKeyRef:
name: "playground-secret"
key: "mysql-username"
optional: false
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: "playground-secret"
key: "mysql-password"
optional: false
ports:
- containerPort: 8080
volumeMounts:
- name: log
mountPath: "/var/log"
- name: "db"
image: "10.211.55.6:5000/yingzhuo/playground-mysql:latest"
imagePullPolicy: Always
ports:
- containerPort: 3306
如此这般,就在pod启动时,容器自动被注入了MYSQL_DB_NAME等环境变量。相当方便!
