255 lines
7.0 KiB
Markdown
255 lines
7.0 KiB
Markdown
---
|
||
title: 使用 Kustomize 管理 Secret
|
||
content_type: task
|
||
weight: 30
|
||
description: 使用 kustomization.yaml 文件创建 Secret 对象。
|
||
---
|
||
<!--
|
||
title: Managing Secrets using Kustomize
|
||
content_type: task
|
||
weight: 30
|
||
description: Creating Secret objects using kustomization.yaml file.
|
||
-->
|
||
|
||
<!-- overview -->
|
||
|
||
<!--
|
||
`kubectl` supports using the [Kustomize object management tool](/docs/tasks/manage-kubernetes-objects/kustomization/) to manage Secrets
|
||
and ConfigMaps. You create a *resource generator* using Kustomize, which
|
||
generates a Secret that you can apply to the API server using `kubectl`.
|
||
-->
|
||
`kubectl` 支持使用 [Kustomize 对象管理工具](/zh-cn/docs/tasks/manage-kubernetes-objects/kustomization/)来管理
|
||
Secret 和 ConfigMap。你可以使用 Kustomize 创建**资源生成器(Resource Generator)**,
|
||
该生成器会生成一个 Secret,让你能够通过 `kubectl` 应用到 API 服务器。
|
||
|
||
## {{% heading "prerequisites" %}}
|
||
|
||
{{< include "task-tutorial-prereqs.md" >}}
|
||
|
||
<!-- steps -->
|
||
|
||
<!--
|
||
## Create a Secret
|
||
|
||
You can generate a Secret by defining a `secretGenerator` in a
|
||
`kustomization.yaml` file that references other existing files, `.env` files, or
|
||
literal values. For example, the following instructions create a kustomization
|
||
file for the username `admin` and the password `1f2d1e2e67df`.
|
||
|
||
### Create the kustomization file
|
||
-->
|
||
## 创建 Secret {#create-a-secret}
|
||
|
||
你可以在 `kustomization.yaml` 文件中定义 `secreteGenerator` 字段,
|
||
并在定义中引用其它本地文件、`.env` 文件或文字值生成 Secret。
|
||
例如:下面的指令为用户名 `admin` 和密码 `1f2d1e2e67df` 创建 kustomization 文件。
|
||
|
||
{{< note >}}
|
||
<!--
|
||
The `stringData` field for a Secret does not work well with server-side apply.
|
||
-->
|
||
Secret 的 `stringData` 字段与服务端应用不兼容。
|
||
{{< /note >}}
|
||
|
||
### 创建 kustomization 文件 {#create-the-kustomization-file}
|
||
|
||
{{< tabs name="Secret data" >}}
|
||
{{< tab name="文字" codelang="yaml" >}}
|
||
secretGenerator:
|
||
- name: database-creds
|
||
literals:
|
||
- username=admin
|
||
- password=1f2d1e2e67df
|
||
{{< /tab >}}
|
||
{{% tab name="文件" %}}
|
||
|
||
<!--
|
||
1. Store the credentials in files. The filenames are the keys of the secret:
|
||
-->
|
||
1. 将凭据存储在文件中。文件名是 Secret 的 key 值:
|
||
|
||
```shell
|
||
echo -n 'admin' > ./username.txt
|
||
echo -n '1f2d1e2e67df' > ./password.txt
|
||
```
|
||
|
||
<!--
|
||
The `-n` flag ensures that there's no newline character at the end of your
|
||
files.
|
||
-->
|
||
|
||
`-n` 标志确保文件结尾处没有换行符。
|
||
|
||
<!--
|
||
1. Create the `kustomization.yaml` file:
|
||
-->
|
||
2. 创建 `kustomization.yaml` 文件:
|
||
|
||
```yaml
|
||
secretGenerator:
|
||
- name: database-creds
|
||
files:
|
||
- username.txt
|
||
- password.txt
|
||
```
|
||
|
||
{{% /tab %}}
|
||
{{% tab name=".env 文件" %}}
|
||
<!--
|
||
You can also define the secretGenerator in the `kustomization.yaml` file by
|
||
providing `.env` files. For example, the following `kustomization.yaml` file
|
||
pulls in data from an `.env.secret` file:
|
||
-->
|
||
你也可以使用 `.env` 文件在 `kustomization.yaml` 中定义 `secretGenerator`。
|
||
例如下面的 `kustomization.yaml` 文件从 `.env.secret` 文件获取数据:
|
||
|
||
```yaml
|
||
secretGenerator:
|
||
- name: db-user-pass
|
||
envs:
|
||
- .env.secret
|
||
```
|
||
{{% /tab %}}
|
||
{{< /tabs >}}
|
||
|
||
<!--
|
||
In all cases, you don't need to encode the values in base64. The name of the YAML
|
||
file **must** be `kustomization.yaml` or `kustomization.yml`.
|
||
-->
|
||
在所有情况下,你都不需要对取值作 base64 编码。
|
||
YAML 文件的名称**必须**是 `kustomization.yaml` 或 `kustomization.yml`。
|
||
|
||
<!--
|
||
### Apply the kustomization file
|
||
|
||
To create the Secret, apply the directory that contains the kustomization file:
|
||
-->
|
||
### 应用 kustomization 文件 {#apply-the-kustomization-file}
|
||
|
||
若要创建 Secret,应用包含 kustomization 文件的目录。
|
||
|
||
```shell
|
||
kubectl apply -k <目录路径>
|
||
```
|
||
|
||
<!--
|
||
The output is similar to:
|
||
-->
|
||
输出类似于:
|
||
|
||
```
|
||
secret/database-creds-5hdh7hhgfk created
|
||
```
|
||
|
||
<!--
|
||
When a Secret is generated, the Secret name is created by hashing
|
||
the Secret data and appending the hash value to the name. This ensures that
|
||
a new Secret is generated each time the data is modified.
|
||
|
||
To verify that the Secret was created and to decode the Secret data,
|
||
|
||
```shell
|
||
kubectl get -k <directory-path> -o jsonpath='{.data}'
|
||
```
|
||
-->
|
||
生成 Secret 时,Secret 的名称最终是由 `name` 字段和数据的哈希值拼接而成。
|
||
这将保证每次修改数据时生成一个新的 Secret。
|
||
|
||
要验证 Secret 是否已创建并解码 Secret 数据,
|
||
|
||
```shell
|
||
kubectl get -k <目录路径> -o jsonpath='{.data}'
|
||
```
|
||
|
||
<!--
|
||
The output is similar to:
|
||
-->
|
||
输出类似于:
|
||
|
||
```
|
||
{ "password": "MWYyZDFlMmU2N2Rm", "username": "YWRtaW4=" }
|
||
```
|
||
|
||
```
|
||
echo 'MWYyZDFlMmU2N2Rm' | base64 --decode
|
||
```
|
||
|
||
<!--
|
||
The output is similar to:
|
||
-->
|
||
输出类似于:
|
||
|
||
```
|
||
1f2d1e2e67df
|
||
```
|
||
|
||
<!--
|
||
For more information, refer to
|
||
[Managing Secrets using kubectl](/docs/tasks/configmap-secret/managing-secret-using-kubectl/#verify-the-secret) and
|
||
[Declarative Management of Kubernetes Objects Using Kustomize](/docs/tasks/manage-kubernetes-objects/kustomization/).
|
||
-->
|
||
更多信息参阅
|
||
[使用 kubectl 管理 Secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kubectl/#verify-the-secret)和
|
||
[使用 Kustomize 对 Kubernetes 对象进行声明式管理](/zh-cn/docs/tasks/manage-kubernetes-objects/kustomization/)
|
||
|
||
<!--
|
||
## Edit a Secret {#edit-secret}
|
||
|
||
1. In your `kustomization.yaml` file, modify the data, such as the `password`.
|
||
1. Apply the directory that contains the kustomization file:
|
||
|
||
```shell
|
||
kubectl apply -k <directory-path>
|
||
```
|
||
-->
|
||
## 编辑 Secret {#edit-secret}
|
||
|
||
1. 在 `kustomization.yaml` 文件中,修改诸如 `password` 等数据。
|
||
1. 应用包含 kustomization 文件的目录:
|
||
|
||
```shell
|
||
kubectl apply -k <目录路径>
|
||
```
|
||
|
||
<!--
|
||
The output is similar to:
|
||
-->
|
||
|
||
输出类似于:
|
||
|
||
```
|
||
secret/db-user-pass-6f24b56cc8 created
|
||
```
|
||
|
||
<!--
|
||
The edited Secret is created as a new `Secret` object, instead of updating the
|
||
existing `Secret` object. You might need to update references to the Secret in
|
||
your Pods.
|
||
-->
|
||
编辑过的 Secret 被创建为一个新的 `Secret` 对象,而不是更新现有的 `Secret` 对象。
|
||
你可能需要在 Pod 中更新对该 Secret 的引用。
|
||
|
||
<!--
|
||
## Clean up
|
||
|
||
To delete a Secret, use `kubectl`:
|
||
-->
|
||
## 清理 {#clean-up}
|
||
|
||
要删除 Secret,请使用 `kubectl`:
|
||
|
||
```shell
|
||
kubectl delete secret db-user-pass
|
||
```
|
||
|
||
## {{% heading "whatsnext" %}}
|
||
|
||
<!--
|
||
- Read more about the [Secret concept](/docs/concepts/configuration/secret/)
|
||
- Learn how to [manage Secrets using kubectl](/docs/tasks/configmap-secret/managing-secret-using-kubectl/)
|
||
- Learn how to [manage Secrets using config file](/docs/tasks/configmap-secret/managing-secret-using-config-file/)
|
||
-->
|
||
- 进一步阅读 [Secret 概念](/zh-cn/docs/concepts/configuration/secret/)
|
||
- 了解如何[使用 kubectl 管理 Secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kubectl/)
|
||
- 了解如何[使用配置文件管理 Secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-config-file/)
|