DBセキュア接続設定とConfigmapでの環境変数の利用-DigitalOceanのkubernetes環境にwordpressを構築する04
DBセキュア接続設定とConfigmapでの環境変数の利用
DB接続証明書設定
GCEで作業
root@instance-1:~/work/mariadb-cert/cert# cat client-key.pem client-cert.pem ../ca.pem > gce-mariadb-pair.pemmysqlへのSSL接続を強制にする
root@instance-1:~# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 5658
Server version: 10.11.4-MariaDB-1~deb12u1 Debian 12
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> grant all on wordpress.* to wpuser@'%' identified by '*******' REQUIRE SSL;
Query OK, 0 rows affected (0.210 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.064 sec)
MariaDB [(none)]> show grants for wpuser@'%';
+-------------------------------------------------------------------------------------------------------------------+
| Grants for wpuser@% |
+-------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `wpuser`@`%` IDENTIFIED BY PASSWORD '***********************' REQUIRE SSL |
| GRANT ALL PRIVILEGES ON `wordpress`.* TO `wpuser`@`%` |
+-------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.015 sec)
MariaDB [(none)]> quit
Bye
root@instance-1:~# kubectl操作環境で作業
GCEで連結したクライアント証明書をコピー
ocarina@ab350-pro4:~$ scp root@GCE:work/mariadb-cert/cert/gce-mariadb-pair.pem /home/ocarina/work/doks-wp/.
gce-mariadb-pair.pem 100% 4157 41.8KB/s 00:00 証明書のconfigmapを作成
namespaceを利用するdeploymentのものとあわせないとnot foundとなります。
ocarina@ab350-pro4:~/work/doks-wp/k8s$ kubectl create configmap gce-mariadb-pair.pem -n doks-wp --from-file=/home/ocarina/work/doks-wp/gce-mariadb-pair.pem
configmap/gce-mariadb-pair.pem created
確認
ocarina@ab350-pro4:~/work/doks-wp/k8s$ kubectl get configmap -n doks-wp
NAME DATA AGE
gce-mariadb-pair.pem 1 53s
kube-root-ca.crt 1 20h
ocarina@ab350-pro4:~/work/doks-wp/k8s$
ocarina@ab350-pro4:~/work/doks-wp/k8s$ kubectl describe configmap/gce-mariadb-pair.pem -n doks-wp | tail
Dv2nOsE8+2XZzLmQfoV0Lz1sJgVdeLRVelDOJ55CHxpxqYFxr9VFM164U52TUr8i
QT76wWo4M1ezpiMdF0b/YC7Y77oWnnQRUqptJ13ZdrVZLz2Psq/qioO8gzyAB4P1
MVrso8fcdg==
-----END CERTIFICATE-----
BinaryData
====
Events: <none>証明書ファイルのマウント設定
ocarina@ab350-pro4:~/work/doks-wp/k8s$ kubectl get deployment -n doks-wp doks-wp-web -o yaml > Deployment-doks-wp-web.yamlocarina@ab350-pro4:~/work/doks-wp/k8s$ vi Deployment-doks-wp-web.yaml spec:
containers: # containersの下にvolumeMountsを追加
volumeMounts:
- mountPath: /tmp/volume-mariadb-ca # podのマウント先ディレクトリ名です。存在しなくてもOK
name: volume-mariadb-ca # Volumes.nameと合わせる
volumes: # containersと同レベルの階層にvolumesを追加
- configMap:
defaultMode: 420 # これは-o yamlしたら入っていた
name: gce-mariadb-pair.pem # configmap名
name: volume-mariadb-ca # VolumeMounts.nameと合わせる
反映
ocarina@ab350-pro4:~/work/doks-wp/k8s$ kubectl apply -f Deployment-doks-wp-web.yaml
deployment.apps/doks-wp-web configured確認
ocarina@ab350-pro4:~/work/doks-wp/k8s$ kubectl get pods -n doks-wp
NAME READY STATUS RESTARTS AGE
doks-wp-web-7cd4c8fdd4-qn7xm 1/1 Terminating 0 11h
doks-wp-web-c8fcb484f-s8mfw 1/1 Running 0 12s
ocarina@ab350-pro4:~/work/doks-wp/k8s$ kubectl describe pod/doks-wp-web-c8fcb484f-s8mfw -n doks-wp | grep -i configmap
Type: ConfigMap (a volume populated by a ConfigMap)
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
ocarina@ab350-pro4:~/work/doks-wp/k8s$ kubectl describe pod/doks-wp-web-c8fcb484f-s8mfw -n doks-wp | tail
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 62s default-scheduler Successfully assigned doks-wp/doks-wp-web-c8fcb484f-s8mfw to pool-8cmmja9n0-xkh01
Normal Pulled 61s kubelet Container image "registry.digitalocean.com/ocarina/doks-wp:0.0.2" already present on machine
Normal Created 59s kubelet Created container doks-wp
Normal Started 59s kubelet Started container doks-wp
ocarina@ab350-pro4:~/work/doks-wp/k8s$
ocarina@ab350-pro4:~/work/doks-wp/k8s$ kubectl exec -it pods/doks-wp-web-77847c96b8-4zfs6 -n doks-wp -- /bin/bash
root@doks-wp-web-77847c96b8-4zfs6:/var/www/html# ls -la /tmp/volume-gce-mariadb-ca/
total 12
drwxrwxrwx 3 root root 4096 Dec 31 01:55 .
drwxrwxrwt 1 root root 4096 Dec 31 01:55 ..
drwxr-xr-x 2 root root 4096 Dec 31 01:55 ..2023_12_31_01_55_54.2402299734
lrwxrwxrwx 1 root root 32 Dec 31 01:55 ..data -> ..2023_12_31_01_55_54.2402299734
lrwxrwxrwx 1 root root 27 Dec 31 01:55 gce-mariadb-pair.pem -> ..data/gce-mariadb-pair.pem
root@doks-wp-web-77847c96b8-4zfs6:/var/www/html# ls -la /tmp/volume-gce-mariadb-ca/gce-mariadb-pair.pem
lrwxrwxrwx 1 root root 27 Dec 31 01:55 /tmp/volume-gce-mariadb-ca/gce-mariadb-pair.pem -> ..data/gce-mariadb-pair.pem
root@doks-wp-web-77847c96b8-4zfs6:/var/www/html# tail /tmp/volume-gce-mariadb-ca/gce-mariadb-pair.pem
/tOQpT4oG1sDGBjlJ4U5EMhK2lMuI8O84QIDAQABo1MwUTAdBgNVHQ4EFgQUcrgr
qAt2qJv+DvPgd+LB19Xl3hkwHwYDVR0jBBgwFoAUcrgrqAt2qJv+DvPgd+LB19Xl
3hkwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAmMqXFYqBDG9o
F1x5oSusxJLiHqlLT4WUOgvC+63Iytz3Of9MouycgzZ7OvHmjpWjHPwe3HXE/HXN
WhvS8cVZay6q2A9VKsM1kB9a1yqhRg3YjOmjR/vhgm3CMVmu1wSX85qcmL0UibPf
adS8bxjs2zPLvdM7/qf50NLl7nADWCdS4FXvQOOmLfEwfaXnPG+Iu347MSxpGQg+
Dv2nOsE8+2XZzLmQfoV0Lz1sJgVdeLRVelDOJ55CHxpxqYFxr9VFM164U52TUr8i
QT76wWo4M1ezpiMdF0b/YC7Y77oWnnQRUqptJ13ZdrVZLz2Psq/qioO8gzyAB4P1
MVrso8fcdg==
-----END CERTIFICATE-----
root@doks-wp-web-77847c96b8-4zfs6:/var/www/html# configmapに登録した環境変数をpodで使えるようにする
https://kubernetes.io/ja/docs/tasks/configure-pod-container/configure-pod-configmap/
環境変数ファイルをconfigmapへ登録する
cd ~/work/doks-wp/dev/k8s/ocarina@ab350-pro4:~$ cat ConfigMap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: env-dev-config
namespace: doks-wp
data:
DB_NAME: dev_wordpress
DB_USER: wpuser
DB_PASSWORD: *********
DB_HOST: *******:*****
MYSQL_SSL_CA: /tmp/volume-mariadb-ca/gce-mariadb-pair.pem
WP_REDIS_SCHEME: tcp
WP_REDIS_HOST: ************
WP_REDIS_PASSWORD: ************
WP_REDIS_PORT: "6379"
ocarina@ab350-pro4:~$
REDIS_HOSTはsvcのredis-masterのCLUSTER-IPを指定する
ocarina@ab350-pro4:~/work/doks-wp/prod/k8s/ignore$ kubectl get svc -n redis
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
redis-headless ClusterIP None <none> 6379/TCP 8d
redis-master ClusterIP 10.245.96.144 <none> 6379/TCP 8dkubectl apply -f ConfigMap.yamlメモ
configmapの更新
kubectl get configmap/env-prod-config -n doks-wp -o yaml > ConfigMap.yaml.bkkubectl edit configmap/env-prod-config -n doks-wpappのpodも再起動
ocarina@ab350-pro4:~/work/doks-wp/prod/k8s/ignore$ kubectl -n doks-wp rollout restart deployment/doks-wp-dev-web
deployment.apps/doks-wp-dev-web restarted
ocarina@ab350-pro4:~/work/doks-wp/prod/k8s/ignore$ kubectl -n doks-wp rollout restart deployment/doks-wp-prod-web
deployment.apps/doks-wp-prod-web restarted下記で出来ますが、warningも出るので、editもしくはyamlファイルを作ってapplyしたほうが良さそうです。
kubectl create configmap doks-wp-dev-env-config -n doks-wp --from-file=/home/ocarina/work/doks-wp/dev/env --save-config --dry-run=client -o yaml | kubectl apply -f -
Warning: resource configmaps/doks-wp-dev-env-config is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
configmap/doks-wp-dev-env-config configuredconfigmapをdeploymentへ追加する
ocarina@ab350-pro4:~/work/wordpress.docker$ kubectl get deployment -n doks-wp doks-wp-web -o yaml > ~/work/doks-wp/k8s/Deployment-doks-wp-web.yaml
ocarina@ab350-pro4:~/work/wordpress.docker$ vi ~/work/doks-wp/k8s/Deployment-doks-wp-web.yaml # 先程追加したvolumeMountsと同じ階層に追加します。
envFrom:
- configMapRef:
name: env-dev-config反映
ocarina@ab350-pro4:~/work/wordpress.docker$ kubectl apply -f ~/work/doks-wp/k8s/Deployment-doks-wp-web.yaml
deployment.apps/doks-wp-web configured確認
ocarina@ab350-pro4:~/work/doks-wp/dev/k8s$ kubectl get pods -n doks-wp
NAME READY STATUS RESTARTS AGE
doks-wp-dev-web-b8d5994cb-tr9dc 1/1 Running 0 3h3m
ocarina@ab350-pro4:~/work/doks-wp/dev/k8s$ kubectl exec -it pods/doks-wp-dev-web-b8d5994cb-tr9dc -n doks-wp -- /bin/bash
root@doks-wp-dev-web-b8d5994cb-tr9dc:/var/www/html# env|grep REDIS
WP_REDIS_PASSWORD=****
WP_REDIS_PORT=6379
WP_REDIS_HOST=10.244.0.116
WP_REDIS_SCHEME=tcp
root@doks-wp-dev-web-b8d5994cb-tr9dc:/var/www/html# echo $WP_REDIS_HOST
10.244.0.116
root@doks-wp-dev-web-b8d5994cb-tr9dc:/var/www/html# env|grep DB
DB_PASSWORD=****
DB_USER=****
DB_HOST=****:****
DB_NAME=****
root@doks-wp-dev-web-b8d5994cb-tr9dc:/var/www/html# echo $DB_HOST
****:****
root@doks-wp-dev-web-b8d5994cb-tr9dc:/var/www/html# env|grep SSL
MYSQL_SSL_CA=/tmp/volume-mariadb-ca/gce-mariadb-pair.pem
root@doks-wp-dev-web-b8d5994cb-tr9dc:/var/www/html# ls -l $MYSQL_SSL_CA
lrwxrwxrwx 1 root root 27 Jan 1 07:56 /tmp/volume-mariadb-ca/gce-mariadb-pair.pem -> ..data/gce-mariadb-pair.pem
root@doks-wp-dev-web-b8d5994cb-tr9dc:/var/www/html#
root@doks-wp-dev-web-b8d5994cb-tr9dc:/var/www/html# exit
exit
ocarina@ab350-pro4:~/work/doks-wp/dev/k8s$