kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
website/content/zh/docs/tasks/configmap-secret/managing-secret-using-kusto...

193 lines
6.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: 使用 Kustomize 管理 Secret
content_type: task
weight: 30
description: 使用 kustomization.yaml 文件创建 Secret 对象。
---
<!--
title: Managing Secrets using Kustomize
content_type: task
weight: 30
description: Creating Secret objects using kustomization.yaml file.
-->
<!-- overview -->
<!--
Since Kubernetes v1.14, `kubectl` supports
[managing objects using Kustomize](/docs/tasks/manage-kubernetes-objects/kustomization/).
Kustomize provides resource Generators to create Secrets and ConfigMaps. The
Kustomize generators should be specified in a `kustomization.yaml` file inside
a directory. After generating the Secret, you can create the Secret on the API
server with `kubectl apply`.
-->
从 kubernetes v1.14 开始,`kubectl` 支持[使用 Kustomize 管理对象](/zh/docs/tasks/manage-kubernetes-objects/kustomization/)。
Kustomize 提供了资源生成器Generators来创建 Secret 和 ConfigMap。
Kustomize 生成器应该在某个目录的 `kustomization.yaml` 文件中指定。
生成 Secret 后,你可以使用 `kubectl apply` 在 API 服务器上创建该 Secret。
## {{% heading "prerequisites" %}}
{{< include "task-tutorial-prereqs.md" >}}
<!-- steps -->
<!-- ## Create the Kustomization file -->
## 创建 Kustomization 文件 {#create-the-kustomization-file}
<!--
You can generate a Secret by defining a `secretGenerator` in a
`kustomization.yaml` file that references other existing files.
For example, the following kustomization file references the
`./username.txt` and the `./password.txt` files:
-->
你可以在 `kustomization.yaml` 中定义 `secreteGenerator`,并在定义中引用其他现成的文件,生成 Secret。
例如:下面的 kustomization 文件 引用了 `./username.txt``./password.txt` 文件:
```yaml
secretGenerator:
- name: db-user-pass
files:
- username.txt
- password.txt
```
<!--
You can also define the `secretGenerator` in the `kustomization.yaml`
file by providing some literals.
For example, the following `kustomization.yaml` file contains two literals
for `username` and `password` respectively:
-->
你也可以在 `kustomization.yaml` 文件中指定一些字面量定义 `secretGenerator`
例如:下面的 `kustomization.yaml` 文件中包含了 `username``password` 两个字面量:
```yaml
secretGenerator:
- name: db-user-pass
literals:
- username=admin
- password=1f2d1e2e67df
```
<!--
You can also define the `secretGenerator` in the `kustomization.yaml`
file by providing `.env` files.
For example, the following `kustomization.yaml` file pulls in data from
`.env.secret` file:
-->
你也可以使用 `.env` 文件在 `kustomization.yaml` 中定义 `secretGenerator`
例如:下面的 `kustomization.yaml` 文件从 `.env.secret` 文件获取数据。
```yaml
secretGenerator:
- name: db-user-pass
envs:
- .env.secret
```
<!--
Note that in all cases, you don't need to base64 encode the values.
-->
注意,上面两种情况,你都不需要使用 base64 编码。
<!-- ## Create the Secret -->
## 创建 Secret {#create-the-secret}
<!-- Apply the directory containing the `kustomization.yaml` to create the Secret. -->
使用 `kubectl apply` 命令应用包含 `kustomization.yaml` 文件的目录创建 Secret。
```shell
kubectl apply -k .
```
<!-- The output is similar to: -->
输出类似于:
```
secret/db-user-pass-96mffmfh4k created
```
<!--
Note that when a Secret is generated, the Secret name is created by hashing
the Secret data and appending the hash value to the name. This ensures that
a new Secret is generated each time the data is modified.
-->
请注意,生成 Secret 时Secret 的名称最终是由 `name` 字段和数据的哈希值拼接而成。
这将保证每次修改数据时生成一个新的 Secret。
<!-- ## Check the Secret created -->
## 检查创建的 Secret {#check-the-secret-created}
<!-- You can check that the secret was created: -->
你可以检查刚才创建的 Secret
```shell
kubectl get secrets
```
<!-- The output is similar to: -->
输出类似于:
```
NAME TYPE DATA AGE
db-user-pass-96mffmfh4k Opaque 2 51s
```
<!-- You can view a description of the secret: -->
你可以看到 Secret 的描述:
```shell
kubectl describe secrets/db-user-pass-96mffmfh4k
```
<!-- The output is similar to: -->
输出类似于:
```
Name: db-user-pass-96mffmfh4k
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password.txt: 12 bytes
username.txt: 5 bytes
```
<!--
The commands `kubectl get` and `kubectl describe` avoid showing the contents of a `Secret` by
default. This is to protect the `Secret` from being exposed accidentally to an onlooker,
or from being stored in a terminal log.
To check the actual content of the encoded data, please refer to
[decoding secret](/docs/tasks/configmap-secret/managing-secret-using-kubectl/#decoding-secret).
-->
`kubectl get``kubectl describe` 命令默认不显示 `Secret` 的内容。
这是为了防止 `Secret` 被意外暴露给旁观者或存储在终端日志中。
检查编码后的实际内容,请参考[解码 secret](/zh/docs/tasks/configmap-secret/managing-secret-using-kubectl/#decoding-secret)。
-->
<!-- ## Clean Up -->
## 清理 {#clean-up}
<!-- To delete the Secret you have created: -->
删除你创建的 Secret
```shell
kubectl delete secret db-user-pass-96mffmfh4k
```
<!-- Optional section; add links to information related to this topic. -->
## {{% heading "whatsnext" %}}
<!--
- Read more about the [Secret concept](/docs/concepts/configuration/secret/)
- Learn how to [manage Secrets with the `kubectl` command](/docs/tasks/configmap-secret/managing-secret-using-kubectl/)
- Learn how to [manage Secrets using config file](/docs/tasks/configmap-secret/managing-secret-using-config-file/)
-->
- 进一步阅读 [Secret 概念](/zh/docs/concepts/configuration/secret/)
- 了解如何[使用 `kubectl` 命令管理 Secret](/zh/docs/tasks/configmap-secret/managing-secret-using-kubectl/)
- 了解如何[使用配置文件管理 Secret](/zh/docs/tasks/configmap-secret/managing-secret-using-config-file/)
Reference in New Issue View Git Blame Copy Permalink