Difference between revisions of "Kubernetes/ConfigMap and Secrets"
m (Pio2pio moved page Kubernetes/ConfigMap to Kubernetes/ConfigMap and Secrets without leaving a redirect: more relevant title) |
|||
| Line 78: | Line 78: | ||
Deploy | Deploy configMap | ||
<source lang=bash> | <source lang=bash> | ||
kubectl apply -f configmap-pod.yaml | kubectl apply -f configmap-pod.yaml | ||
kubectl logs configmap-pod #Get the logs from the pod displaying the value | kubectl logs configmap-pod #Get the logs from the pod displaying the value | ||
</source> | </source> | ||
Another way to provide values from a ConfigMap is to mount as a container's volume. The keys you can see within the container | Another way to provide values from a ConfigMap is to mount as a container's volume. The keys you can see within the container | ||
| Line 91: | Line 92: | ||
= Secrets = | |||
Secrets types: | |||
<source> | |||
SecretType = "Opaque" // Opaque (arbitrary data; default) | |||
SecretType = "kubernetes.io/service-account-token" // Kubernetes auth token | |||
SecretType = "kubernetes.io/dockercfg" // Docker registry auth | |||
SecretType = "kubernetes.io/dockerconfigjson" // Latest Docker registry auth | |||
</source> | |||
Create a secret | |||
<source lang=bash> | |||
kubectl create secret generic user-creds --from-literal=pass=pass123 --from-literal=user=john --save-config -oyaml --dry-run=true --type=Opaque > secrets.yaml | |||
</source> | |||
<syntaxhighlightjs lang=yaml> | |||
apiVersion: v1 | |||
kind: Secret | |||
metadata: | |||
creationTimestamp: null | |||
name: user-creds | |||
data: # keys contain b64 encoded values | |||
pass: cGFzczEyMw== | |||
user: am9obg== | |||
type: Opaque | |||
</syntaxhighlightjs> | |||
Another secret. <code>stringData:</code> specifying non-binary secret data in string form. It is provided as a write-only convenience method. All keys and values are merged into the data field on write. | |||
<syntaxhighlightjs lang=yaml> | <syntaxhighlightjs lang=yaml> | ||
apiVersion: v1 | apiVersion: v1 | ||
| Line 97: | Line 125: | ||
metadata: | metadata: | ||
name: kube-secret | name: kube-secret | ||
stringData: | stringData: # literal string, keys' values will be b64 encoded on write | ||
cert: 1234abc | cert: 1234abc | ||
key: ca.crt | key: ca.crt | ||
Revision as of 19:49, 20 October 2019
ConfigMap object allows to manage application's configuration using Kubernetes primitives. YAML below:
kubectl create configmap my-config-map --namespace=web -oyaml --dry-run > config-map.yml
<syntaxhighlightjs lang=yaml> apiVersion: v1 kind: ConfigMap metadata:
creationTimestamp: null name: my-config-map namespace: web
data: # added when editing
myKey: myValue1 anotherKey: myValue2
</syntaxhighlightjs>
| As a environment | Mounted volume | Secrets mounted volume |
|---|---|---|
| <syntaxhighlightjs lang=yaml>
apiVersion: v1 kind: Pod metadata: name: configmap-kube spec: containers:
- name: nginx
image: nginx
command: ['sh', '-c', "echo $(VAR) && sleep 600"]
env:
- name: VAR
valueFrom:
configMapKeyRef:
name: kubeapp-config
key: value1
</syntaxhighlightjs> |
<syntaxhighlightjs lang=yaml>apiVersion: v1
kind: Pod metadata: name: configmap-volume-kube spec: containers:
- name: nginx
image: nginx
command: ['sh', '-c', "echo $(cat /etc/config/myKey && sleep 3600"]
volumeMounts:
- name: configmapvolume
mountPath: /etc/config # this will be a directory
volumes:
- name: configmapvolume
configMap: # key will be a file name
name: kubeapp-config # with value in content
</syntaxhighlightjs> |
<syntaxhighlightjs lang=yaml>
apiVersion: v1 kind: Pod metadata: name: kube-secret-volume-pod spec: containers:
- name: nginx
image: nginx
command: ['sh', '-c', "echo $(MY_VAR) && sleep 3600"]
volumeMounts:
- name: secretvolume
mountPath: /etc/certs
volumes:
- name: secretvolume
secret:
secretName: kube-secret
</syntaxhighlightjs> |
Deploy configMap
kubectl apply -f configmap-pod.yaml kubectl logs configmap-pod #Get the logs from the pod displaying the value
Another way to provide values from a ConfigMap is to mount as a container's volume. The keys you can see within the container
kubectl exec configmaps-volume-kube -- ls /etc/config kubectl exec configmaps-volume-kube -- cat /etc/config/key1
Secrets
Secrets types:
SecretType = "Opaque" // Opaque (arbitrary data; default) SecretType = "kubernetes.io/service-account-token" // Kubernetes auth token SecretType = "kubernetes.io/dockercfg" // Docker registry auth SecretType = "kubernetes.io/dockerconfigjson" // Latest Docker registry auth
Create a secret
kubectl create secret generic user-creds --from-literal=pass=pass123 --from-literal=user=john --save-config -oyaml --dry-run=true --type=Opaque > secrets.yaml
<syntaxhighlightjs lang=yaml> apiVersion: v1 kind: Secret metadata:
creationTimestamp: null name: user-creds
data: # keys contain b64 encoded values
pass: cGFzczEyMw== user: am9obg==
type: Opaque </syntaxhighlightjs>
Another secret. stringData: specifying non-binary secret data in string form. It is provided as a write-only convenience method. All keys and values are merged into the data field on write.
<syntaxhighlightjs lang=yaml>
apiVersion: v1
kind: Secret
metadata:
name: kube-secret
stringData: # literal string, keys' values will be b64 encoded on write
cert: 1234abc key: ca.crt
</syntaxhighlightjs>
Create secrets
kubectl apply -f secrets.yaml kubectl describe secrets appsecret Name: kube-secret Namespace: default Labels: <none> Annotations: Type: Opaque Data ==== cert: 5 bytes key: 5 bytes