简介
Synator可以将Secrets和ConfigMap在我们集群的namespace中同步,实现一步在集群多个namespace创建secrets和configmap,可以用来创建一些集群中多个namespace都需要的secerts和configmap咨询,如镜像的拉取凭证
项目:https://github.com/TheYkk/synator.git
安装
代码语言:javascript复制git clone https://github.com/TheYkk/synator.git
cd synctor
kubectl apply -f deploy.yml
安装后可以查看
代码语言:javascript复制[root@master-01 sync-cm-secret]# kubectl get pod -l name=synator
NAME READY STATUS RESTARTS AGE
synator-77f47f7dfb-jbrq5 1/1 Running 0 13m
使用
1、添加注解synator/sync=yes
到Secret或ConfigMap即可,还可以使用注解synator/include-namespaces='namespace1,namespace2'
设置同步到哪些名称空间,或者使用注解synator/exclude-namespaces='kube-system,kube-node-lease
排除某些名称空间
例如我们创建一个secrets并设置同步到kuboard和monitoring这两个namespace下
代码语言:javascript复制kind: Secret
apiVersion: v1
metadata:
name: example
namespace: default
annotations:
synator/sync: 'yes'
synator/include-namespaces: 'kuboard,monitoring'
data:
tt: dHQ0NTExMjM0NTU=
type: Opaque
当我们创建后可以发现会同步在kuboard和monitoring名称空间下也创建名为example的secrer资源
代码语言:javascript复制[root@master-01 sync-cm-secret]# kubectl get secrets -n kuboard
NAME TYPE DATA AGE
default-token-7qwf4 kubernetes.io/service-account-token 3 28h
kuboard-admin-token-r58sf kubernetes.io/service-account-token 3 28h
kuboard-viewer-token-7hvhj kubernetes.io/service-account-token 3 28h
[root@master-01 sync-cm-secret]# kubectl apply -f secerts.yaml
secret/example created
[root@master-01 sync-cm-secret]# kubectl get secrets -n kuboard
NAME TYPE DATA AGE
default-token-7qwf4 kubernetes.io/service-account-token 3 28h
example Opaque 1 4s
kuboard-admin-token-r58sf kubernetes.io/service-account-token 3 28h
kuboard-viewer-token-7hvhj kubernetes.io/service-account-token 3 28h
[root@master-01 sync-cm-secret]# kubectl get secrets
NAME TYPE DATA AGE
default-token-fdd5k kubernetes.io/service-account-token 3 41d
example Opaque 1 8s
issuer-account-key Opaque 1 28d
synator-token-dt6gh kubernetes.io/service-account-token 3 19m
test-web-service-route-5c6bc66f8c-0-cert kubernetes.io/tls 2 28d
注意:删除这个secrets.yaml文件不会同步删除kuboard和monitoring下的资源
2、使用注解synator/reload: "secret:example"
可以在资源更新后更新pod
apiVersion: apps/v1
kind: Deployment
metadata:
name: busybox
namespace: default
spec:
replicas: 1
selector:
matchLabels:
name: busybox
template:
metadata:
labels:
name: busybox
annotations:
synator/reload: "secret:example"
spec:
containers:
- name: busybox
image: busybox:1.29
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
args:
- /bin/sh
- -c
- touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600
volumeMounts:
- mountPath: /config
name: config-volume
volumes:
- name: config-volume
projected:
defaultMode: 420
sources:
- secret:
name: example
我们修改上面部署的example这个secret会发现pod此时自动进行了更新,pod引用的secret也变为更新后的了
代码语言:javascript复制[root@master-01 demo]# kubectl apply -f deployment.yaml
deployment.apps/busybox created
[root@master-01 demo]# kubectl exec -it busybox-7d79ccdbb-l5v6j -- sh
/ # cat config/tt
tt451123455/ # exit
[root@master-01 demo]# echo tt87654321|base64
dHQ4NzY1NDMyMQo=
[root@master-01 demo]# vi secerts.yaml
[root@master-01 demo]# kubectl apply -f secerts.yaml
secret/example configured
[root@master-01 demo]# kubectl get pod
NAME READY STATUS RESTARTS AGE
busybox-7d79ccdbb-dzkl4 1/1 Running 0 9s
busybox-7d79ccdbb-l5v6j 1/1 Terminating 0 98s
check-ecs-price-7cdc97b997-bl99p 1/1 Running 0 3h58m
synator-77f47f7dfb-jbrq5 1/1 Running 0 30m
web-show-768dd97986-fp9bs 1/1 Running 0 21d
[root@master-01 demo]# kubectl exec -it busybox-7d79ccdbb-dzkl4 --sh
[root@master-01 demo]# kubectl exec -it busybox-7d79ccdbb-dzkl4 -- sh
/ # cat config/tt
tt87654321
/ # exit