Linux - K8S - Secret

#Secret -  加密时,最好不要加上换行避免出现其他问题

[14:33:21 root@master1 storage]#cat 19-storage-nginx-secret.yaml 
apiVersion: v1
kind: Secret
metadata:
 name: nginx-secret
type: kubernetes.io/basic-auth
data:
 username: YWRtaW4=
 password: cGFzc3dvcmQ=
[14:42:15 root@master1 storage]#cat 20-storage-nginx-secret-pod.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: secret-volume
spec:
  volumes:

  - name: secret
    secret:
     secretName: nginx-secret
      containers:
    - name: nginx-secrec
      image: 10.0.0.19:80/mykubernetes/nginx:1.21.3
      volumeMounts:
       - name: secret
         mountPath: /nginxsecret/
         readOnly: true
      
[14:42:49 root@master1 storage]#kubectl apply -f 19-storage-nginx-secret.yaml 
secret/nginx-secret created
[14:42:55 root@master1 storage]#kubectl apply -f 20-storage-nginx-secret-pod.yaml 
pod/secret-volume created
[14:43:05 root@master1 storage]#kubectl get all -o wide
NAME                READY   STATUS    RESTARTS   AGE   IP           NODE               NOMINATED NODE   READINESS GATES
pod/secret-volume   1/1     Running   0          5s    10.244.3.2   node1.noisedu.cn   <none>           <none>

NAME                 TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE     SELECTOR
service/kubernetes   ClusterIP   10.96.0.1    <none>        443/TCP   7d15h   <none>


[14:43:10 root@master1 storage]#kubectl exec -it secret-volume -- bash
oot@secret-volume:/# ls /nginxsecret/
password  username
root@secret-volume:/# cat /nginxsecret/password 
passwordroot@secret-volume:/# cat /nginxsecret/username 
adminroot@secret-volume:/# exit
exit
14:46:58 root@master1 storage]#echo -e "YWRtaW4=" | base64 -d
admin[14:47:03 root@master1 storage]#echo -e "cGFzc3dvcmQ=" | base64 -d
password
 

# mariadb case - 初始化mysql密码
# 在其他机器下载images
[15:16:30 root@ha1 ~]#docker run --name mariadb_test -e MYSQL_ROOT_PASSWORD=12345678 -d 10.0.0.55:80/mykubernetes/mariadb:10.6
Unable to find image '10.0.0.55:80/mykubernetes/mariadb:10.6' locally
10.6: Pulling from mykubernetes/mariadb
Digest: sha256:528cfe83d93caba437e75039b606a4637dd5c724c6a25d7c7b64ec2e9eb11303
Status: Downloaded newer image for 10.0.0.55:80/mykubernetes/mariadb:10.6
69e9b912be397977be450d3d80400476397f1932bb462eb1d39ed4ed8fb7fa91
15:18:49 root@ha1 ~]#docker ps
CONTAINER ID   IMAGE                                    COMMAND                  CREATED              STATUS                 PORTS                                   NAMES
69e9b912be39   10.0.0.55:80/mykubernetes/mariadb:10.6   "docker-entrypoint.s…"   About a minute ago   Up About a minute      3306/tcp                                mariadb_test


[15:19:06 root@ha1 ~]#docker exec -it 69e9b912be39 bash
root@69e9b912be39:/# mysql -uroot -p12345678 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.6.5-MariaDB-1:10.6.5+maria~focal mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> exit
Bye
root@69e9b912be39:/# exit
exit


[15:25:03 root@master1 storage]#echo -n "12345678" | base64
MTIzNDU2Nzg=

[14:57:08 root@master1 storage]#cat 21-storage-secret-mysql-init.yaml 
apiVersion: v1
kind: Secret
metadata:
  name: mysql-secret
type: kubernetes.io/basic-auth
data:
  username: cm9vdAo=
  password: MTIzNDU2Nzg=
---
apiVersion: v1
kind: Pod
metadata:
  name: mysql-init-secret
spec:
  containers:
  - name: mariadb
    image: 10.0.0.55:80/mykubernetes/mariadb:10.6
    env:
    - name: MYSQL_ROOT_PASSWORD
      valueFrom:
        secretKeyRef:
          name: mysql-secret
          key: password

[15:21:50 root@master1 storage]#kubectl apply -f 21-storage-secret-mysql-init.yaml 
secret/mysql-secret created
pod/mysql-init-secret created
[15:21:58 root@master1 storage]#kubectl get all -o wide
NAME                    READY   STATUS    RESTARTS   AGE   IP           NODE               NOMINATED NODE   READINESS GATES
pod/mysql-init-secret   1/1     Running   0          6s    10.244.3.5   node1.noisedu.cn   <none>           <none>

NAME                 TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE     SELECTOR
service/kubernetes   ClusterIP   10.96.0.1    <none>        443/TCP   7d15h   <none>
[15:22:39 root@master1 storage]#kubectl exec -it mysql-init-secret -- mysql -uroot -p12345678 -e "show databases;"
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+

# 测试如果密码加入回车的话,会报错.
[15:26:48 root@master1 storage]#echo "12345678" | base64
MTIzNDU2NzgK

[15:24:25 root@master1 storage]#cat 21-storage-secret-mysql-init-error.yaml 
apiVersion: v1
kind: Secret
metadata:
  name: mysql-secret
type: kubernetes.io/basic-auth
data:
  username: cm9vdAo=
  password: MTIzNDU2NzgK
---
apiVersion: v1
kind: Pod
metadata:
  name: mysql-init-secret
spec:
  containers:
  - name: mariadb
    image: 10.0.0.55:80/mykubernetes/mariadb:10.6
    env:
    - name: MYSQL_ROOT_PASSWORD
      valueFrom:
        secretKeyRef:
          name: mysql-secret
          key: password


[15:26:15 root@master1 storage]#kubectl apply -f 21-storage-secret-mysql-init-error.yaml 
secret/mysql-secret created
pod/mysql-init-secret created
[15:26:28 root@master1 storage]#kubectl get all -o wide
NAME                    READY   STATUS    RESTARTS   AGE   IP           NODE               NOMINATED NODE   READINESS GATES
pod/mysql-init-secret   1/1     Running   0          10s   10.244.3.6   node1.noisedu.cn   <none>           <none>

NAME                 TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE     SELECTOR
service/kubernetes   ClusterIP   10.96.0.1    <none>        443/TCP   7d15h   <none>
[15:26:38 root@master1 storage]#kubectl exec -it mysql-init-secret -- mysql -uroot -p12345678 -e "show databases;"
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
command terminated with exit code 1



# tls 实验 - https

# 回到家目录,开始创建证书
[15:39:23 root@master1 storage]#cd

[15:42:10 root@master1 ~]#openssl genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................................+++++
..............................+++++
e is 65537 (0x010001)

[15:42:16 root@master1 ~]#openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Chengdu/L=Chengdu/O=DevOps/CN=www.noisedu.cn
Can't load /root/.rnd into RNG
140498693771712:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd
[15:42:19 root@master1 ~]#openssl rand -writerand .rnd
[15:43:05 root@master1 ~]#openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Chengdu/L=Chengdu/O=DevOps/CN=www.noisedu.cn

[15:44:01 root@master1 ~]#kubectl create secret tls nginx-ssl-secret --cert=tls.crt --key=tls.key 
secret/nginx-ssl-secret created

# 通过configmap导入nginx配置文件
[15:45:06 root@master1 storage]#cat nginx-ssl-conf.d/myserver
myserver.conf        myserver-gzip.cfg    myserver-status.cfg  
[15:45:06 root@master1 storage]#cat nginx-ssl-conf.d/myserver.conf 
server {
    listen 443 ssl;
    server_name www.sswang.com;

    ssl_certificate /etc/nginx/certs/tls.crt; 
    ssl_certificate_key /etc/nginx/certs/tls.key;

    ssl_session_timeout 5m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 

    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; 
    ssl_prefer_server_ciphers on;

    include /etc/nginx/conf.d/myserver-*.cfg;

    location / {
        root /usr/share/nginx/html;
    }
}

server {
    listen 80;
    server_name www.sswang.com; 
    return 301 https://$host$request_uri; 
}
[15:46:48 root@master1 storage]#cat nginx-ssl-conf.d/myserver-status.cfg 
location /nginx-status {
    stub_status on;
    access_log off;
}

[15:44:46 root@master1 storage]#kubectl create configmap nginx-ssl-conf --from-file=nginx-ssl-conf.d/
configmap/nginx-ssl-conf created

# 开始配置资源文件, Configmap和secret之前已配置好
[15:47:51 root@master1 storage]#cat 22-storage-secret-nginx-ssl.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: nginx-ssl-server
  namespace: default
spec:
  containers:
  - image: 10.0.0.55:80/mykubernetes/nginx:1.21.3
    name: nginx-ssl-server
    volumeMounts:
    - name: nginxcerts
      mountPath: /etc/nginx/certs/
      readOnly: true
    - name: nginxconfs
      mountPath: /etc/nginx/conf.d/
      readOnly: true
  volumes:
  - name: nginxcerts
    secret:
      secretName: nginx-ssl-secret
  - name: nginxconfs
    configMap:
      name: nginx-ssl-conf
      optional: false

# 开始测试
[15:47:54 root@master1 storage]#kubectl apply -f 22-storage-secret-nginx-ssl.yaml 
pod/nginx-ssl-server created
[15:49:24 root@master1 storage]#kubectl get all -o wide
NAME                   READY   STATUS    RESTARTS   AGE   IP           NODE               NOMINATED NODE   READINESS GATES
pod/nginx-ssl-server   1/1     Running   0          5s    10.244.4.3   node2.noisedu.cn   <none>           <none>

NAME                 TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE     SELECTOR
service/kubernetes   ClusterIP   10.96.0.1    <none>        443/TCP   7d16h   <none>
[15:49:29 root@master1 storage]#curl https://10.244.4.3
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
[15:49:56 root@master1 storage]#curl -k https://10.244.4.3
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[15:50:00 root@master1 storage]#curl http://10.244.4.3
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.21.4</center>
</body>
</html>

  

上一篇:MongoDB服务无法启动,发生服务特定错误:100


下一篇:OMF添加在线日志_OCP学习笔记(4)