同步secret和config到指定namespace

2021-06-25 16:52:38 浏览数 (1)

简介

Synator可以将Secrets和ConfigMap在我们集群的namespace中同步,实现一步在集群多个namespace创建secrets和configmap,可以用来创建一些集群中多个namespace都需要的secerts和configmap咨询,如镜像的拉取凭证

项目:https://github.com/TheYkk/synator.git

安装

代码语言:javascript复制
git clone https://github.com/TheYkk/synator.git
cd synctor
kubectl apply -f deploy.yml

安装后可以查看

代码语言:javascript复制
[root@master-01 sync-cm-secret]# kubectl get pod -l name=synator
NAME                       READY   STATUS    RESTARTS   AGE
synator-77f47f7dfb-jbrq5   1/1     Running   0          13m

使用

1、添加注解synator/sync=yes到Secret或ConfigMap即可,还可以使用注解synator/include-namespaces='namespace1,namespace2' 设置同步到哪些名称空间,或者使用注解synator/exclude-namespaces='kube-system,kube-node-lease 排除某些名称空间

例如我们创建一个secrets并设置同步到kuboard和monitoring这两个namespace下

代码语言:javascript复制
kind: Secret
apiVersion: v1
metadata:
  name: example
  namespace: default
  annotations:
    synator/sync: 'yes'
    synator/include-namespaces: 'kuboard,monitoring'
data:
  tt: dHQ0NTExMjM0NTU=
type: Opaque

当我们创建后可以发现会同步在kuboard和monitoring名称空间下也创建名为example的secrer资源

代码语言:javascript复制
[root@master-01 sync-cm-secret]# kubectl get secrets  -n  kuboard 
NAME                         TYPE                                  DATA   AGE
default-token-7qwf4          kubernetes.io/service-account-token   3      28h
kuboard-admin-token-r58sf    kubernetes.io/service-account-token   3      28h
kuboard-viewer-token-7hvhj   kubernetes.io/service-account-token   3      28h
[root@master-01 sync-cm-secret]# kubectl  apply -f secerts.yaml 
secret/example created
[root@master-01 sync-cm-secret]# kubectl get secrets  -n  kuboard 
NAME                         TYPE                                  DATA   AGE
default-token-7qwf4          kubernetes.io/service-account-token   3      28h
example                      Opaque                                1      4s
kuboard-admin-token-r58sf    kubernetes.io/service-account-token   3      28h
kuboard-viewer-token-7hvhj   kubernetes.io/service-account-token   3      28h
[root@master-01 sync-cm-secret]# kubectl get secrets 
NAME                                       TYPE                                  DATA   AGE
default-token-fdd5k                        kubernetes.io/service-account-token   3      41d
example                                    Opaque                                1      8s
issuer-account-key                         Opaque                                1      28d
synator-token-dt6gh                        kubernetes.io/service-account-token   3      19m
test-web-service-route-5c6bc66f8c-0-cert   kubernetes.io/tls                     2      28d

注意:删除这个secrets.yaml文件不会同步删除kuboard和monitoring下的资源

2、使用注解synator/reload: "secret:example"可以在资源更新后更新pod

代码语言:javascript复制
apiVersion: apps/v1
kind: Deployment
metadata:
  name: busybox
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      name: busybox
  template:
    metadata:
      labels:
        name: busybox
      annotations:
        synator/reload: "secret:example"
    spec:
      containers:
      - name: busybox
        image: busybox:1.29
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
        args:
        - /bin/sh
        - -c
        - touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600
        volumeMounts:
        - mountPath: /config
          name: config-volume
      volumes:
      - name: config-volume
        projected:
          defaultMode: 420
          sources:
          - secret:
              name: example

我们修改上面部署的example这个secret会发现pod此时自动进行了更新,pod引用的secret也变为更新后的了

代码语言:javascript复制
[root@master-01 demo]# kubectl apply -f deployment.yaml 
deployment.apps/busybox created
[root@master-01 demo]# kubectl exec -it busybox-7d79ccdbb-l5v6j  -- sh 
/ # cat config/tt 
tt451123455/ # exit
[root@master-01 demo]# echo tt87654321|base64
dHQ4NzY1NDMyMQo=
[root@master-01 demo]# vi secerts.yaml 
[root@master-01 demo]# kubectl apply -f secerts.yaml 
secret/example configured
[root@master-01 demo]# kubectl get pod
NAME                               READY   STATUS        RESTARTS   AGE
busybox-7d79ccdbb-dzkl4            1/1     Running       0          9s
busybox-7d79ccdbb-l5v6j            1/1     Terminating   0          98s
check-ecs-price-7cdc97b997-bl99p   1/1     Running       0          3h58m
synator-77f47f7dfb-jbrq5           1/1     Running       0          30m
web-show-768dd97986-fp9bs          1/1     Running       0          21d
[root@master-01 demo]# kubectl exec -it busybox-7d79ccdbb-dzkl4  --sh 
[root@master-01 demo]# kubectl exec -it busybox-7d79ccdbb-dzkl4  -- sh 
/ # cat config/tt 
tt87654321
/ # exit

0 人点赞