configmap-secret

# 从字面值创建 kubectl create configmap my-config --from-literal=key1=value1 --from-literal=key2=value2

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "configmap-secret" with this command: npx skills add chaterm/terminal-skills/chaterm-terminal-skills-configmap-secret

ConfigMap 与 Secret

概述

配置管理、敏感信息处理等技能。

ConfigMap

创建 ConfigMap

从字面值创建

kubectl create configmap my-config --from-literal=key1=value1 --from-literal=key2=value2

从文件创建

kubectl create configmap my-config --from-file=config.properties kubectl create configmap my-config --from-file=my-key=config.properties

从目录创建

kubectl create configmap my-config --from-file=config-dir/

从环境文件创建

kubectl create configmap my-config --from-env-file=env.properties

ConfigMap YAML

apiVersion: v1 kind: ConfigMap metadata: name: my-config data:

简单键值对

database_url: "mysql://localhost:3306/mydb" log_level: "info"

多行配置文件

nginx.conf: | server { listen 80; server_name localhost; location / { root /usr/share/nginx/html; } }

JSON 配置

config.json: | { "debug": true, "port": 8080 }

使用 ConfigMap

环境变量方式

spec: containers:

  • name: app env:

    单个键

    • name: DATABASE_URL valueFrom: configMapKeyRef: name: my-config key: database_url

    所有键

    envFrom:
    • configMapRef: name: my-config

挂载为文件

spec: containers:

  • name: app volumeMounts:
    • name: config-volume mountPath: /etc/config volumes:
  • name: config-volume configMap: name: my-config

    可选:指定特定键

    items:
    • key: nginx.conf path: nginx.conf

挂载为单个文件(不覆盖目录)

spec: containers:

  • name: app volumeMounts:
    • name: config-volume mountPath: /etc/app/config.json subPath: config.json volumes:
  • name: config-volume configMap: name: my-config

Secret

创建 Secret

从字面值创建

kubectl create secret generic my-secret --from-literal=username=admin --from-literal=password=secret123

从文件创建

kubectl create secret generic my-secret --from-file=ssh-privatekey=~/.ssh/id_rsa

TLS Secret

kubectl create secret tls tls-secret --cert=cert.pem --key=key.pem

Docker Registry Secret

kubectl create secret docker-registry regcred
--docker-server=registry.example.com
--docker-username=user
--docker-password=password
--docker-email=user@example.com

Secret YAML

apiVersion: v1 kind: Secret metadata: name: my-secret type: Opaque data:

Base64 编码

username: YWRtaW4= password: c2VjcmV0MTIz

使用 stringData(自动编码)

apiVersion: v1 kind: Secret metadata: name: my-secret type: Opaque stringData: username: admin password: secret123

Secret 类型

Opaque(默认)

type: Opaque

TLS

type: kubernetes.io/tls data: tls.crt: <base64> tls.key: <base64>

Docker Registry

type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: <base64>

Basic Auth

type: kubernetes.io/basic-auth data: username: <base64> password: <base64>

SSH Auth

type: kubernetes.io/ssh-auth data: ssh-privatekey: <base64>

使用 Secret

环境变量方式

spec: containers:

  • name: app env:
    • name: DB_PASSWORD valueFrom: secretKeyRef: name: my-secret key: password envFrom:
    • secretRef: name: my-secret

挂载为文件

spec: containers:

  • name: app volumeMounts:
    • name: secret-volume mountPath: /etc/secrets readOnly: true volumes:
  • name: secret-volume secret: secretName: my-secret defaultMode: 0400

镜像拉取凭证

spec: imagePullSecrets:

  • name: regcred containers:
  • name: app image: registry.example.com/myapp:latest

操作命令

查看 ConfigMap

kubectl get configmap kubectl describe configmap my-config kubectl get configmap my-config -o yaml

查看 Secret

kubectl get secret kubectl describe secret my-secret kubectl get secret my-secret -o yaml

解码 Secret

kubectl get secret my-secret -o jsonpath='{.data.password}' | base64 -d

编辑

kubectl edit configmap my-config kubectl edit secret my-secret

删除

kubectl delete configmap my-config kubectl delete secret my-secret

常见场景

场景 1:应用配置热更新

使用 ConfigMap 挂载(自动更新)

spec: containers:

  • name: app volumeMounts:
    • name: config mountPath: /etc/config volumes:
  • name: config configMap: name: my-config

注意:subPath 挂载不会自动更新

场景 2:多环境配置

创建不同环境的 ConfigMap

kubectl create configmap app-config-dev --from-file=config-dev/ kubectl create configmap app-config-prod --from-file=config-prod/

在 Deployment 中引用

通过 Kustomize 或 Helm 管理不同环境

场景 3:外部 Secret 管理

使用 External Secrets Operator

apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: my-external-secret spec: refreshInterval: 1h secretStoreRef: name: aws-secrets-manager kind: SecretStore target: name: my-secret data:

  • secretKey: password remoteRef: key: prod/db/password

场景 4:配置文件模板

apiVersion: v1 kind: ConfigMap metadata: name: app-config data: application.yaml: | server: port: ${SERVER_PORT:8080} database: url: ${DATABASE_URL} username: ${DATABASE_USER}

最佳实践

1. 不要在 Git 中存储 Secret

使用 Sealed Secrets 或 External Secrets

2. 限制 Secret 访问权限

使用 RBAC 控制

3. 定期轮换 Secret

使用自动化工具

4. 使用 immutable ConfigMap/Secret(K8s 1.21+)

apiVersion: v1 kind: ConfigMap metadata: name: immutable-config immutable: true data: key: value

故障排查

问题 排查方法

配置未更新 检查是否使用 subPath、重启 Pod

Secret 解码错误 检查 Base64 编码是否正确

权限问题 检查 defaultMode、RBAC

挂载失败 检查 ConfigMap/Secret 是否存在

检查挂载

kubectl exec pod-name -- ls -la /etc/config kubectl exec pod-name -- cat /etc/config/key

检查环境变量

kubectl exec pod-name -- env | grep KEY

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

cron

No summary provided by upstream source.

Repository SourceNeeds Review
594-chaterm
General

system-admin

No summary provided by upstream source.

Repository SourceNeeds Review
152-chaterm
General

systemd

No summary provided by upstream source.

Repository SourceNeeds Review
59-chaterm
General

vpn

No summary provided by upstream source.

Repository SourceNeeds Review
49-chaterm