使用 configmap 挂载配置文件

intro

有一些敏感信息比如数据库连接字符串之类的出于安全考虑，这些敏感信息保存在了 azure keyvault 中，最近应用上了 k8s 部署，所以想把 azure keyvault 的信息迁移到 configmap，不再依赖 azure keyvault。

configmap

新建一个 configmap，你可以从文件创建，如何创建configmap 可以参考，也可以直接手动编辑，这里用的 configmap 如下所示：

apiversion: v1
kind: configmap
metadata:
  name: reservation-configs
  namespace: default
data:
  appsettings: |
    {      
      "connectionstrings": {
        "redis": "redis-server",
        "reservation": "server=localhost;uid=liweihan;pwd=**;database=reservation",
        "elasticsearch": "elasticsearch"
      },
      "mpwechat":{
        "appid": "wx4a41d3773ae55543",
        "appsecret": "**********",
        "token": "amazingdotnet",
        "aeskey": "------------"
      },
      "appsettings": {
        "wechatsubscribereply": "",
        "sentryclientkey": "https://**"
      },
      "tencent": {
        "captcha": {
          "appid": "2062135016",
          "appsecret": "****"
        }
      },
      "googlerecaptcha": {
        "sitekey": "6lc-**",
        "secret": "6lc-**"
      },
      "logging": {
        "loglevel": {
          "default": "warning",
          "activityreservation": "debug",
          "requestlog": "debug"
        }
      }
    }

挂载 configmap 中的配置文件到 pod

deployment 定义如下所示， 这里直接把上面定义的 appsettings 直接挂载为应用程序的根目录下 appsettings.json 文件

apiversion: apps/v1
kind: deployment
metadata:
  name: activityreservation
  namespace: default
  labels:
    app: activityreservation
spec:
  replicas: 2
  revisionhistorylimit: 2 # how many old replicasets for this deployment you want to retain, https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy
  selector:
    matchlabels:
      app: activityreservation
  minreadyseconds: 0
  strategy:
    type: rollingupdate
    rollingupdate:
      maxunavailable: 1
      maxsurge: 1
  template:
    metadata:
      labels:
        app: activityreservation
    spec:
      dnsconfig:
        options:
          - name: ndots
            value: "1"
      containers:        
        - name: activityreservation
          image: weihanli/activityreservation:20190529.2
          imagepullpolicy: ifnotpresent
          resources:
            limits:
              memory: "256mi"
              cpu: "300m"
          readinessprobe:
            tcpsocket:
              port: 80
            initialdelayseconds: 60
            periodseconds: 30
          livenessprobe:
            httpget:
              path: /health
              port: 80
            initialdelayseconds: 60
            periodseconds: 60
          ports:
            - containerport: 80
          volumemounts:
          - name: settings
            mountpath: /app/appsettings.json
            subpath: appsettings

      volumes:
        - name: settings
          configmap:
            name: reservation-configs

测试

1. 部署 configmap

   kubectl apply -f configmap.yaml

2. 部署 deployment

   kubectl apply -f reservation-deployment.yaml

3. 等待 pod 启动之后，查看 appsettings.json 文件内容是否成功被替换掉

   获取对应的 pod 名称，然后通过 kubectl exec <pod-name> cat /app/appsettings.json 来获取pod中 appsettings.json 文件的内容

   出现 connectionstrings 就证明文件被替换掉了，原始的配置文件里是没有 connectionstrings 节点的，原始的方式是通过从 azure keyvault 中加载的

reference

• https://github.com/weihanli/activityreservation