|
| 1 | +--- |
| 2 | +title: 使用 kubectl 管理 Secret |
| 3 | +content_type: task |
| 4 | +weight: 10 |
| 5 | +description: 使用 kubectl 命令行创建 Secret 对象。 |
| 6 | +--- |
| 7 | +<!-- |
| 8 | +title: Managing Secret using kubectl |
| 9 | +content_type: task |
| 10 | +weight: 10 |
| 11 | +description: Creating Secret objects using kubectl command line. |
| 12 | +--> |
| 13 | + |
| 14 | +<!-- overview --> |
| 15 | + |
| 16 | +## {{% heading "prerequisites" %}} |
| 17 | + |
| 18 | +{{< include "task-tutorial-prereqs.md" >}} |
| 19 | + |
| 20 | +<!-- steps --> |
| 21 | + |
| 22 | +<!-- ## Create a Secret --> |
| 23 | +## 创建 Secret {#create-a-secret} |
| 24 | + |
| 25 | +<!-- |
| 26 | +A `Secret` can contain user credentials required by Pods to access a database. |
| 27 | +For example, a database connection string consists of a username and password. |
| 28 | +You can store the username in a file `./username.txt` and the password in a |
| 29 | +file `./password.txt` on your local machine. |
| 30 | + --> |
| 31 | +一个 `Secret` 可以包含 Pod 访问数据库所需的用户凭证。 |
| 32 | +例如,由用户名和密码组成的数据库连接字符串。 |
| 33 | +你可以在本地计算机上,将用户名存储在文件 `./username.txt` 中,将密码存储在文件 `./password.txt` 中。 |
| 34 | + |
| 35 | +```shell |
| 36 | +echo -n 'admin' > ./username.txt |
| 37 | +echo -n '1f2d1e2e67df' > ./password.txt |
| 38 | +``` |
| 39 | + |
| 40 | +<!-- |
| 41 | +The `-n` flag in the above two commands ensures that the generated files will |
| 42 | +not contain an extra newline character at the end of the text. This is |
| 43 | +important because when `kubectl` reads a file and encode the content into |
| 44 | +base64 string, the extra newline character gets encoded too. |
| 45 | +--> |
| 46 | +上面两个命令中的 `-n` 标志确保生成的文件在文本末尾不包含额外的换行符。 |
| 47 | +这一点很重要,因为当 `kubectl` 读取文件并将内容编码为 base64 字符串时,多余的换行符也会被编码。 |
| 48 | + |
| 49 | +<!-- |
| 50 | +The `kubectl create secret` command packages these files into a Secret and creates |
| 51 | +the object on the API server. |
| 52 | +--> |
| 53 | +`kubectl create secret` 命令将这些文件打包成一个 Secret 并在 API 服务器上创建对象。 |
| 54 | + |
| 55 | +```shell |
| 56 | +kubectl create secret generic db-user-pass \ |
| 57 | + --from-file=./username.txt \ |
| 58 | + --from-file=./password.txt |
| 59 | +``` |
| 60 | + |
| 61 | +<!-- The output is similar to: --> |
| 62 | +输出类似于: |
| 63 | + |
| 64 | +``` |
| 65 | +secret/db-user-pass created |
| 66 | +``` |
| 67 | + |
| 68 | +<!-- |
| 69 | +Default key name is the filename. You may optionally set the key name using |
| 70 | +`--from-file=[key=]source`. For example: |
| 71 | +--> |
| 72 | +默认密钥名称是文件名。 你可以选择使用 `--from-file=[key=]source` 来设置密钥名称。例如: |
| 73 | + |
| 74 | +```shell |
| 75 | +kubectl create secret generic db-user-pass \ |
| 76 | + --from-file=username=./username.txt \ |
| 77 | + --from-file=password=./password.txt |
| 78 | +``` |
| 79 | + |
| 80 | +<!-- |
| 81 | +You do not need to escape special characters in passwords from files |
| 82 | +(). |
| 83 | +--> |
| 84 | +你无需转义文件(`--from-file`)中的密码的特殊字符。 |
| 85 | + |
| 86 | +<!-- |
| 87 | +You can also provide Secret data using the `--from-literal=<key>=<value>` tag. |
| 88 | +This tag can be specified more than once to provide multiple key-value pairs. |
| 89 | +Note that special characters such as `$`, `\`, `*`, `=`, and `!` will be |
| 90 | +interpreted by your [shell](https://en.wikipedia.org/wiki/Shell_(computing)) |
| 91 | +and require escaping. |
| 92 | +In most shells, the easiest way to escape the password is to surround it with |
| 93 | +single quotes (`'`). For example, if your actual password is `S!B\*d$zDsb=`, |
| 94 | +you should execute the command this way: |
| 95 | +--> |
| 96 | +你还可以使用 `--from-literal=<key>=<value>` 标签提供 Secret 数据。 |
| 97 | +可以多次使用此标签,提供多个键值对。 |
| 98 | +请注意,特殊字符(例如:`$`,`\`,`*`,`=` 和 `!`)由你的 [shell](https://en.wikipedia.org/wiki/Shell_(computing)) 解释执行,而且需要转义。 |
| 99 | + |
| 100 | +```shell |
| 101 | +kubectl create secret generic dev-db-secret \ |
| 102 | + --from-literal=username=devuser \ |
| 103 | + --from-literal=password='S!B\*d$zDsb=' |
| 104 | +``` |
| 105 | + |
| 106 | +<!-- ## Verify the Secret --> |
| 107 | +## 验证 Secret {#verify-the-secret} |
| 108 | + |
| 109 | +<!-- You can check that the secret was created: --> |
| 110 | +你可以检查 secret 是否已创建: |
| 111 | + |
| 112 | +```shell |
| 113 | +kubectl get secrets |
| 114 | +``` |
| 115 | + |
| 116 | +<!-- The output is similar to: --> |
| 117 | +输出类似于: |
| 118 | + |
| 119 | +``` |
| 120 | +NAME TYPE DATA AGE |
| 121 | +db-user-pass Opaque 2 51s |
| 122 | +``` |
| 123 | + |
| 124 | +<!-- You can view a description of the `Secret`: --> |
| 125 | +你可以查看 `Secret` 的描述: |
| 126 | + |
| 127 | +```shell |
| 128 | +kubectl describe secrets/db-user-pass |
| 129 | +``` |
| 130 | + |
| 131 | +<!-- The output is similar to: --> |
| 132 | +输出类似于: |
| 133 | + |
| 134 | +``` |
| 135 | +Name: db-user-pass |
| 136 | +Namespace: default |
| 137 | +Labels: <none> |
| 138 | +Annotations: <none> |
| 139 | +
|
| 140 | +Type: Opaque |
| 141 | +
|
| 142 | +Data |
| 143 | +==== |
| 144 | +password.txt: 12 bytes |
| 145 | +username.txt: 5 bytes |
| 146 | +``` |
| 147 | + |
| 148 | +<!-- |
| 149 | +The commands `kubectl get` and `kubectl describe` avoid showing the contents |
| 150 | +of a `Secret` by default. This is to protect the `Secret` from being exposed |
| 151 | +accidentally to an onlooker, or from being stored in a terminal log. |
| 152 | +--> |
| 153 | +默认情况下,`kubectl get` 和 `kubectl describe` 命令可避免显示 `Secret` 的内容。 |
| 154 | +这是为了防止 `Secret` 被意外暴露给旁观者或存储在终端日志中。 |
| 155 | + |
| 156 | +<!-- ## Decoding the Secret {#decoding-secret} --> |
| 157 | +## 解码 Secret {#decoding-secret} |
| 158 | + |
| 159 | +<!-- |
| 160 | +To view the contents of the Secret we just created, you can run the following |
| 161 | +command: |
| 162 | +--> |
| 163 | +要查看我们刚刚创建的 Secret 的内容,可以运行以下命令: |
| 164 | + |
| 165 | +```shell |
| 166 | +kubectl get secret db-user-pass -o jsonpath='{.data}' |
| 167 | +``` |
| 168 | + |
| 169 | +<!-- The output is similar to: --> |
| 170 | +输出类似于: |
| 171 | + |
| 172 | +```json |
| 173 | +{"password.txt":"MWYyZDFlMmU2N2Rm","username.txt":"YWRtaW4="} |
| 174 | +``` |
| 175 | + |
| 176 | +<!-- Now you can decode the `password.txt` data: --> |
| 177 | +现在你可以解码 `password.txt` 的数据: |
| 178 | + |
| 179 | +```shell |
| 180 | +echo 'MWYyZDFlMmU2N2Rm' | base64 --decode |
| 181 | +``` |
| 182 | + |
| 183 | +<!-- The output is similar to: --> |
| 184 | +输出类似于: |
| 185 | + |
| 186 | +``` |
| 187 | +1f2d1e2e67df |
| 188 | +``` |
| 189 | + |
| 190 | +<!-- ## Clean Up --> |
| 191 | +## 清理 {#clean-up} |
| 192 | + |
| 193 | +<!-- To delete the Secret you have just created: --> |
| 194 | +删除刚刚创建的 Secret: |
| 195 | + |
| 196 | +```shell |
| 197 | +kubectl delete secret db-user-pass |
| 198 | +``` |
| 199 | + |
| 200 | +<!-- discussion --> |
| 201 | + |
| 202 | +## {{% heading "whatsnext" %}} |
| 203 | + |
| 204 | +<!-- |
| 205 | +- Read more about the [Secret concept](/docs/concepts/configuration/secret/) |
| 206 | +- Learn how to [manage Secret using config file](/docs/tasks/configmap-secret/managing-secret-using-config-file/) |
| 207 | +- Learn how to [manage Secret using kustomize](/docs/tasks/configmap-secret/managing-secret-using-kustomize/) |
| 208 | +--> |
| 209 | +- 阅读更多有关 [Secret 概念](/docs/concepts/configuration/secret/) |
| 210 | +- 了解如何 [使用配置文件管理 Secret](/docs/tasks/configmap-secret/managing-secret-using-config-file/) |
| 211 | +- 了解如何 [使用 kustomize 管理 Secret](/docs/tasks/configmap-secret/managing-secret-using-kustomize/) |
0 commit comments