From b9a64ed658a4076d87f3da4d87d0f4073246f945 Mon Sep 17 00:00:00 2001 From: "xin.li" Date: Tue, 10 Oct 2023 22:20:49 +0800 Subject: [PATCH] [zh-cn] sync configuration/secret Signed-off-by: xin.li --- .../docs/concepts/configuration/secret.md | 269 +++--------------- .../examples/secret/basicauth-secret.yaml | 8 + .../secret/bootstrap-token-secret-base64.yaml | 13 + .../bootstrap-token-secret-literal.yaml | 18 ++ .../examples/secret/dockercfg-secret.yaml | 8 + .../zh-cn/examples/secret/dotfile-secret.yaml | 27 ++ .../examples/secret/optional-secret.yaml | 17 ++ .../secret/serviceaccount-token-secret.yaml | 9 + .../examples/secret/ssh-auth-secret.yaml | 9 + .../examples/secret/tls-auth-secret.yaml | 27 ++ 10 files changed, 175 insertions(+), 230 deletions(-) create mode 100644 content/zh-cn/examples/secret/basicauth-secret.yaml create mode 100644 content/zh-cn/examples/secret/bootstrap-token-secret-base64.yaml create mode 100644 content/zh-cn/examples/secret/bootstrap-token-secret-literal.yaml create mode 100644 content/zh-cn/examples/secret/dockercfg-secret.yaml create mode 100644 content/zh-cn/examples/secret/dotfile-secret.yaml create mode 100644 content/zh-cn/examples/secret/optional-secret.yaml create mode 100644 content/zh-cn/examples/secret/serviceaccount-token-secret.yaml create mode 100644 content/zh-cn/examples/secret/ssh-auth-secret.yaml create mode 100644 content/zh-cn/examples/secret/tls-auth-secret.yaml diff --git a/content/zh-cn/docs/concepts/configuration/secret.md b/content/zh-cn/docs/concepts/configuration/secret.md index a93cd9f2b9d0b..00b1ffb68865c 100644 --- a/content/zh-cn/docs/concepts/configuration/secret.md +++ b/content/zh-cn/docs/concepts/configuration/secret.md @@ -16,8 +16,8 @@ content_type: concept feature: title: Secret and configuration management description: > - Deploy and update secrets and application configuration without rebuilding your image - and without exposing secrets in your stack configuration. + Deploy and update Secrets and application configuration without rebuilding your image + and without exposing Secrets in your stack configuration. weight: 30 --> @@ -40,7 +40,7 @@ Because Secrets can be created independently of the Pods that use them, there is less risk of the Secret (and its data) being exposed during the workflow of creating, viewing, and editing Pods. Kubernetes, and applications that run in your cluster, can also take additional precautions with Secrets, such as avoiding -writing secret data to nonvolatile storage. +writing sensitive data to nonvolatile storage. Secrets are similar to {{< glossary_tooltip text="ConfigMaps" term_id="configmap" >}} but are specifically intended to hold confidential data. @@ -48,7 +48,7 @@ but are specifically intended to hold confidential data. 由于创建 Secret 可以独立于使用它们的 Pod, 因此在创建、查看和编辑 Pod 的工作流程中暴露 Secret(及其数据)的风险较小。 Kubernetes 和在集群中运行的应用程序也可以对 Secret 采取额外的预防措施, -例如避免将机密数据写入非易失性存储。 +例如避免将敏感数据写入非易失性存储。 Secret 类似于 {{}} 但专门用于保存机密数据。 @@ -124,7 +124,7 @@ Kubernetes 控制面也使用 Secret; ### Use case: dotfiles in a secret volume You can make your data "hidden" by defining a key that begins with a dot. -This key represents a dotfile or "hidden" file. For example, when the following secret +This key represents a dotfile or "hidden" file. For example, when the following Secret is mounted into a volume, `secret-volume`, the volume will contain a single file, called `.secret-file`, and the `dotfile-test-container` will have this file present at the path `/etc/secret-volume/.secret-file`. @@ -146,35 +146,7 @@ you must use `ls -la` to see them when listing directory contents. 列举目录内容时你必须使用 `ls -la` 才能看到它们。 {{< /note >}} -```yaml -apiVersion: v1 -kind: Secret -metadata: - name: dotfile-secret -data: - .secret-file: dmFsdWUtMg0KDQo= ---- -apiVersion: v1 -kind: Pod -metadata: - name: secret-dotfiles-pod -spec: - volumes: - - name: secret-volume - secret: - secretName: dotfile-secret - containers: - - name: dotfile-test-container - image: registry.k8s.io/busybox - command: - - ls - - "-l" - - "/etc/secret-volume" - volumeMounts: - - name: secret-volume - readOnly: true - mountPath: "/etc/secret-volume" -``` +{{% code language="yaml" file="secret/dotfile-secret.yaml" %}} - 如果你的云原生组件需要执行身份认证来访问你所知道的、在同一 Kubernetes 集群中运行的另一个应用, @@ -458,32 +430,7 @@ Secret 的其它字段,例如 `kubernetes.io/service-account.uid` 注解和 下面的配置实例声明了一个 ServiceAccount 令牌 Secret: - -```yaml -apiVersion: v1 -kind: Secret -metadata: - name: secret-sa-sample - annotations: - kubernetes.io/service-account.name: "sa-name" -type: kubernetes.io/service-account-token -data: - # 你可以像 Opaque Secret 一样在这里添加额外的键/值偶对 - extra: YmFyCg== -``` +{{% code language="yaml" file="secret/serviceaccount-token-secret.yaml" %}} 下面是一个 `kubernetes.io/dockercfg` 类型 Secret 的示例: -```yaml -apiVersion: v1 -kind: Secret -metadata: - name: secret-dockercfg -type: kubernetes.io/dockercfg -data: - .dockercfg: | - "" -``` +{{% code language="yaml" file="secret/dockercfg-secret.yaml" %}} {{< note >}} -```yaml -apiVersion: v1 -kind: Secret -metadata: - name: secret-basic-auth -type: kubernetes.io/basic-auth -stringData: - username: admin # kubernetes.io/basic-auth 类型的必需字段 - password: t0p-Secret # kubernetes.io/basic-auth 类型的必需字段 -``` +Secret 的 `stringData` 字段不能很好地与服务器端应用配合使用。 +{{< /note >}} -```yaml -apiVersion: v1 -kind: Secret -metadata: - name: secret-ssh-auth -type: kubernetes.io/ssh-auth -data: - # 此例中的实际数据被截断 - ssh-privatekey: | - MIIEpQIBAAKCAQEAulqb/Y ... -``` +{{% code language="yaml" file="secret/ssh-auth-secret.yaml" %}} -```yaml -apiVersion: v1 -kind: Secret -metadata: - name: secret-tls -type: kubernetes.io/tls -stringData: - # 此例中的数据被截断 - tls.crt: | - --------BEGIN CERTIFICATE----- - MIIC2DCCAcCgAwIBAgIBATANBgkqh ... - tls.key: | - -----BEGIN RSA PRIVATE KEY----- - MIIEpgIBAAKCAQEA7yn3bRHQ5FHMQ ... -``` +{{% code language="yaml" file="secret/tls-auth-secret.yaml" %}} 你也可以在 Secret 的 `stringData` 字段中提供值,而无需对其进行 base64 编码: -```yaml -apiVersion: v1 -kind: Secret -metadata: - # 注意 Secret 的命名方式 - name: bootstrap-token-5emitj - # 启动引导令牌 Secret 通常位于 kube-system 名字空间 - namespace: kube-system -type: bootstrap.kubernetes.io/token -stringData: - auth-extra-groups: "system:bootstrappers:kubeadm:default-node-token" - expiration: "2020-09-13T04:39:10Z" - # 此令牌 ID 被用于生成 Secret 名称 - token-id: "5emitj" - token-secret: "kq4gihvszzgn1p0r" - # 此令牌还可用于 authentication (身份认证) - usage-bootstrap-authentication: "true" - # 且可用于 signing (证书签名) - usage-bootstrap-signing: "true" -``` +{{% code language="yaml" file="secret/bootstrap-token-secret-literal.yaml" %}} + +{{< note >}} + +Secret 的 `stringData` 字段不能很好地与服务器端应用配合使用。 +{{< /note >}} @@ -1127,24 +953,7 @@ Kubernetes ignores it. 当你在 Pod 中引用 Secret 时,你可以将该 Secret 标记为**可选**,就像下面例子中所展示的那样。 如果可选的 Secret 不存在,Kubernetes 将忽略它。 -```yaml -apiVersion: v1 -kind: Pod -metadata: - name: mypod -spec: - containers: - - name: mypod - image: redis - volumeMounts: - mountPath: "/etc/foo" - readOnly: true - volumes: - - name: foo - secret: - secretName: mysecret - optional: true -``` +{{% code language="yaml" file="secret/optional-secret.yaml" %}} ### 容器镜像拉取 Secret {#using-imagepullsecrets} @@ -1311,8 +1120,8 @@ Secret 是在 Pod 层面来配置的。