install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/configmap-secret" ~/.claude/skills/majiayu000-claude-skill-registry-configmap-secret && rm -rf "$T"
manifest:
skills/data/configmap-secret/SKILL.mdsource content
ConfigMap 与 Secret
概述
配置管理、敏感信息处理等技能。
ConfigMap
创建 ConfigMap
# 从字面值创建 kubectl create configmap my-config --from-literal=key1=value1 --from-literal=key2=value2 # 从文件创建 kubectl create configmap my-config --from-file=config.properties kubectl create configmap my-config --from-file=my-key=config.properties # 从目录创建 kubectl create configmap my-config --from-file=config-dir/ # 从环境文件创建 kubectl create configmap my-config --from-env-file=env.properties
ConfigMap YAML
apiVersion: v1 kind: ConfigMap metadata: name: my-config data: # 简单键值对 database_url: "mysql://localhost:3306/mydb" log_level: "info" # 多行配置文件 nginx.conf: | server { listen 80; server_name localhost; location / { root /usr/share/nginx/html; } } # JSON 配置 config.json: | { "debug": true, "port": 8080 }
使用 ConfigMap
环境变量方式
spec: containers: - name: app env: # 单个键 - name: DATABASE_URL valueFrom: configMapKeyRef: name: my-config key: database_url # 所有键 envFrom: - configMapRef: name: my-config
挂载为文件
spec: containers: - name: app volumeMounts: - name: config-volume mountPath: /etc/config volumes: - name: config-volume configMap: name: my-config # 可选:指定特定键 items: - key: nginx.conf path: nginx.conf
挂载为单个文件(不覆盖目录)
spec: containers: - name: app volumeMounts: - name: config-volume mountPath: /etc/app/config.json subPath: config.json volumes: - name: config-volume configMap: name: my-config
Secret
创建 Secret
# 从字面值创建 kubectl create secret generic my-secret --from-literal=username=admin --from-literal=password=secret123 # 从文件创建 kubectl create secret generic my-secret --from-file=ssh-privatekey=~/.ssh/id_rsa # TLS Secret kubectl create secret tls tls-secret --cert=cert.pem --key=key.pem # Docker Registry Secret kubectl create secret docker-registry regcred \ --docker-server=registry.example.com \ --docker-username=user \ --docker-password=password \ --docker-email=user@example.com
Secret YAML
apiVersion: v1 kind: Secret metadata: name: my-secret type: Opaque data: # Base64 编码 username: YWRtaW4= password: c2VjcmV0MTIz --- # 使用 stringData(自动编码) apiVersion: v1 kind: Secret metadata: name: my-secret type: Opaque stringData: username: admin password: secret123
Secret 类型
# Opaque(默认) type: Opaque # TLS type: kubernetes.io/tls data: tls.crt: <base64> tls.key: <base64> # Docker Registry type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: <base64> # Basic Auth type: kubernetes.io/basic-auth data: username: <base64> password: <base64> # SSH Auth type: kubernetes.io/ssh-auth data: ssh-privatekey: <base64>
使用 Secret
环境变量方式
spec: containers: - name: app env: - name: DB_PASSWORD valueFrom: secretKeyRef: name: my-secret key: password envFrom: - secretRef: name: my-secret
挂载为文件
spec: containers: - name: app volumeMounts: - name: secret-volume mountPath: /etc/secrets readOnly: true volumes: - name: secret-volume secret: secretName: my-secret defaultMode: 0400
镜像拉取凭证
spec: imagePullSecrets: - name: regcred containers: - name: app image: registry.example.com/myapp:latest
操作命令
# 查看 ConfigMap kubectl get configmap kubectl describe configmap my-config kubectl get configmap my-config -o yaml # 查看 Secret kubectl get secret kubectl describe secret my-secret kubectl get secret my-secret -o yaml # 解码 Secret kubectl get secret my-secret -o jsonpath='{.data.password}' | base64 -d # 编辑 kubectl edit configmap my-config kubectl edit secret my-secret # 删除 kubectl delete configmap my-config kubectl delete secret my-secret
常见场景
场景 1:应用配置热更新
# 使用 ConfigMap 挂载(自动更新) spec: containers: - name: app volumeMounts: - name: config mountPath: /etc/config volumes: - name: config configMap: name: my-config # 注意:subPath 挂载不会自动更新
场景 2:多环境配置
# 创建不同环境的 ConfigMap kubectl create configmap app-config-dev --from-file=config-dev/ kubectl create configmap app-config-prod --from-file=config-prod/ # 在 Deployment 中引用 # 通过 Kustomize 或 Helm 管理不同环境
场景 3:外部 Secret 管理
# 使用 External Secrets Operator apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: my-external-secret spec: refreshInterval: 1h secretStoreRef: name: aws-secrets-manager kind: SecretStore target: name: my-secret data: - secretKey: password remoteRef: key: prod/db/password
场景 4:配置文件模板
apiVersion: v1 kind: ConfigMap metadata: name: app-config data: application.yaml: | server: port: ${SERVER_PORT:8080} database: url: ${DATABASE_URL} username: ${DATABASE_USER}
最佳实践
# 1. 不要在 Git 中存储 Secret # 使用 Sealed Secrets 或 External Secrets # 2. 限制 Secret 访问权限 # 使用 RBAC 控制 # 3. 定期轮换 Secret # 使用自动化工具 # 4. 使用 immutable ConfigMap/Secret(K8s 1.21+)
apiVersion: v1 kind: ConfigMap metadata: name: immutable-config immutable: true data: key: value
故障排查
| 问题 | 排查方法 |
|---|---|
| 配置未更新 | 检查是否使用 subPath、重启 Pod |
| Secret 解码错误 | 检查 Base64 编码是否正确 |
| 权限问题 | 检查 defaultMode、RBAC |
| 挂载失败 | 检查 ConfigMap/Secret 是否存在 |
# 检查挂载 kubectl exec pod-name -- ls -la /etc/config kubectl exec pod-name -- cat /etc/config/key # 检查环境变量 kubectl exec pod-name -- env | grep KEY