#Secret - 加密时,最好不要加上换行避免出现其他问题 [14:33:21 root@master1 storage]#cat 19-storage-nginx-secret.yaml apiVersion: v1 kind: Secret metadata: name: nginx-secret type: kubernetes.io/basic-auth data: username: YWRtaW4= password: cGFzc3dvcmQ= [14:42:15 root@master1 storage]#cat 20-storage-nginx-secret-pod.yaml apiVersion: v1 kind: Pod metadata: name: secret-volume spec: volumes: - name: secret secret: secretName: nginx-secret containers: - name: nginx-secrec image: 10.0.0.19:80/mykubernetes/nginx:1.21.3 volumeMounts: - name: secret mountPath: /nginxsecret/ readOnly: true [14:42:49 root@master1 storage]#kubectl apply -f 19-storage-nginx-secret.yaml secret/nginx-secret created [14:42:55 root@master1 storage]#kubectl apply -f 20-storage-nginx-secret-pod.yaml pod/secret-volume created [14:43:05 root@master1 storage]#kubectl get all -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES pod/secret-volume 1/1 Running 0 5s 10.244.3.2 node1.noisedu.cn <none> <none> NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 7d15h <none> [14:43:10 root@master1 storage]#kubectl exec -it secret-volume -- bash oot@secret-volume:/# ls /nginxsecret/ password username root@secret-volume:/# cat /nginxsecret/password passwordroot@secret-volume:/# cat /nginxsecret/username adminroot@secret-volume:/# exit exit 14:46:58 root@master1 storage]#echo -e "YWRtaW4=" | base64 -d admin[14:47:03 root@master1 storage]#echo -e "cGFzc3dvcmQ=" | base64 -d password # mariadb case - 初始化mysql密码 # 在其他机器下载images [15:16:30 root@ha1 ~]#docker run --name mariadb_test -e MYSQL_ROOT_PASSWORD=12345678 -d 10.0.0.55:80/mykubernetes/mariadb:10.6 Unable to find image '10.0.0.55:80/mykubernetes/mariadb:10.6' locally 10.6: Pulling from mykubernetes/mariadb Digest: sha256:528cfe83d93caba437e75039b606a4637dd5c724c6a25d7c7b64ec2e9eb11303 Status: Downloaded newer image for 10.0.0.55:80/mykubernetes/mariadb:10.6 69e9b912be397977be450d3d80400476397f1932bb462eb1d39ed4ed8fb7fa91 15:18:49 root@ha1 ~]#docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 69e9b912be39 10.0.0.55:80/mykubernetes/mariadb:10.6 "docker-entrypoint.s…" About a minute ago Up About a minute 3306/tcp mariadb_test [15:19:06 root@ha1 ~]#docker exec -it 69e9b912be39 bash root@69e9b912be39:/# mysql -uroot -p12345678 Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 3 Server version: 10.6.5-MariaDB-1:10.6.5+maria~focal mariadb.org binary distribution Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> exit Bye root@69e9b912be39:/# exit exit [15:25:03 root@master1 storage]#echo -n "12345678" | base64 MTIzNDU2Nzg= [14:57:08 root@master1 storage]#cat 21-storage-secret-mysql-init.yaml apiVersion: v1 kind: Secret metadata: name: mysql-secret type: kubernetes.io/basic-auth data: username: cm9vdAo= password: MTIzNDU2Nzg= --- apiVersion: v1 kind: Pod metadata: name: mysql-init-secret spec: containers: - name: mariadb image: 10.0.0.55:80/mykubernetes/mariadb:10.6 env: - name: MYSQL_ROOT_PASSWORD valueFrom: secretKeyRef: name: mysql-secret key: password [15:21:50 root@master1 storage]#kubectl apply -f 21-storage-secret-mysql-init.yaml secret/mysql-secret created pod/mysql-init-secret created [15:21:58 root@master1 storage]#kubectl get all -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES pod/mysql-init-secret 1/1 Running 0 6s 10.244.3.5 node1.noisedu.cn <none> <none> NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 7d15h <none> [15:22:39 root@master1 storage]#kubectl exec -it mysql-init-secret -- mysql -uroot -p12345678 -e "show databases;" +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | sys | +--------------------+ # 测试如果密码加入回车的话,会报错. [15:26:48 root@master1 storage]#echo "12345678" | base64 MTIzNDU2NzgK [15:24:25 root@master1 storage]#cat 21-storage-secret-mysql-init-error.yaml apiVersion: v1 kind: Secret metadata: name: mysql-secret type: kubernetes.io/basic-auth data: username: cm9vdAo= password: MTIzNDU2NzgK --- apiVersion: v1 kind: Pod metadata: name: mysql-init-secret spec: containers: - name: mariadb image: 10.0.0.55:80/mykubernetes/mariadb:10.6 env: - name: MYSQL_ROOT_PASSWORD valueFrom: secretKeyRef: name: mysql-secret key: password [15:26:15 root@master1 storage]#kubectl apply -f 21-storage-secret-mysql-init-error.yaml secret/mysql-secret created pod/mysql-init-secret created [15:26:28 root@master1 storage]#kubectl get all -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES pod/mysql-init-secret 1/1 Running 0 10s 10.244.3.6 node1.noisedu.cn <none> <none> NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 7d15h <none> [15:26:38 root@master1 storage]#kubectl exec -it mysql-init-secret -- mysql -uroot -p12345678 -e "show databases;" ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES) command terminated with exit code 1 # tls 实验 - https # 回到家目录,开始创建证书 [15:39:23 root@master1 storage]#cd [15:42:10 root@master1 ~]#openssl genrsa -out tls.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ...........................................+++++ ..............................+++++ e is 65537 (0x010001) [15:42:16 root@master1 ~]#openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Chengdu/L=Chengdu/O=DevOps/CN=www.noisedu.cn Can't load /root/.rnd into RNG 140498693771712:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd [15:42:19 root@master1 ~]#openssl rand -writerand .rnd [15:43:05 root@master1 ~]#openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Chengdu/L=Chengdu/O=DevOps/CN=www.noisedu.cn [15:44:01 root@master1 ~]#kubectl create secret tls nginx-ssl-secret --cert=tls.crt --key=tls.key secret/nginx-ssl-secret created # 通过configmap导入nginx配置文件 [15:45:06 root@master1 storage]#cat nginx-ssl-conf.d/myserver myserver.conf myserver-gzip.cfg myserver-status.cfg [15:45:06 root@master1 storage]#cat nginx-ssl-conf.d/myserver.conf server { listen 443 ssl; server_name www.sswang.com; ssl_certificate /etc/nginx/certs/tls.crt; ssl_certificate_key /etc/nginx/certs/tls.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; include /etc/nginx/conf.d/myserver-*.cfg; location / { root /usr/share/nginx/html; } } server { listen 80; server_name www.sswang.com; return 301 https://$host$request_uri; } [15:46:48 root@master1 storage]#cat nginx-ssl-conf.d/myserver-status.cfg location /nginx-status { stub_status on; access_log off; } [15:44:46 root@master1 storage]#kubectl create configmap nginx-ssl-conf --from-file=nginx-ssl-conf.d/ configmap/nginx-ssl-conf created # 开始配置资源文件, Configmap和secret之前已配置好 [15:47:51 root@master1 storage]#cat 22-storage-secret-nginx-ssl.yaml apiVersion: v1 kind: Pod metadata: name: nginx-ssl-server namespace: default spec: containers: - image: 10.0.0.55:80/mykubernetes/nginx:1.21.3 name: nginx-ssl-server volumeMounts: - name: nginxcerts mountPath: /etc/nginx/certs/ readOnly: true - name: nginxconfs mountPath: /etc/nginx/conf.d/ readOnly: true volumes: - name: nginxcerts secret: secretName: nginx-ssl-secret - name: nginxconfs configMap: name: nginx-ssl-conf optional: false # 开始测试 [15:47:54 root@master1 storage]#kubectl apply -f 22-storage-secret-nginx-ssl.yaml pod/nginx-ssl-server created [15:49:24 root@master1 storage]#kubectl get all -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES pod/nginx-ssl-server 1/1 Running 0 5s 10.244.4.3 node2.noisedu.cn <none> <none> NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 7d16h <none> [15:49:29 root@master1 storage]#curl https://10.244.4.3 curl: (60) SSL certificate problem: self signed certificate More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. [15:49:56 root@master1 storage]#curl -k https://10.244.4.3 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> html { color-scheme: light dark; } body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html> [15:50:00 root@master1 storage]#curl http://10.244.4.3 <html> <head><title>301 Moved Permanently</title></head> <body> <center><h1>301 Moved Permanently</h1></center> <hr><center>nginx/1.21.4</center> </body> </html>