Kubernetes/ConfigMap and Secrets

From Ever changing code
Jump to navigation Jump to search

ConfigMap object allows to manage application's configuration using Kubernetes primitives. YAML below: 

kubectl create configmap my-config-map --namespace=web -oyaml --dry-run > config-map.yml

<syntaxhighlightjs lang=yaml> apiVersion: v1 kind: ConfigMap metadata: 

 creationTimestamp: null
 name: my-config-map
 namespace: web

data: # added when editing 

 myKey: myValue1
 anotherKey: myValue2

</syntaxhighlightjs>


ConfigMap
As a environment Mounted volume Secrets mounted volume
<syntaxhighlightjs lang=yaml>

apiVersion: v1 kind: Pod metadata: 

 name: kube-configmap

spec: 

 containers:
 - name: nginx
   image: nginx
   command: ['sh', '-c', "echo $(VAR) && sleep 600"]
   env:
   - name: VAR
     valueFrom:
       configMapKeyRef:
         name: kubeapp-config
         key: value1

</syntaxhighlightjs>

<syntaxhighlightjs lang=yaml>apiVersion: v1

kind: Pod metadata: 

 name: configmap-volume-kube

spec: 

 containers:
 - name: nginx
   image: nginx
   command: ['sh', '-c', "echo $(cat /etc/config/myKey && sleep 3600"]
   volumeMounts:
     - name: configmapvolume
       mountPath: /etc/config # this will be a directory
 volumes:
   - name: configmapvolume
     configMap:               # key will be a file name
       name: kube-configmap   # with value in content

</syntaxhighlightjs>

<syntaxhighlightjs lang=yaml>

apiVersion: v1 kind: Pod metadata: 

 name: kube-secret-volume-pod

spec: 

 containers:
 - name: nginx
   image: nginx
   command: ['sh', '-c', "echo $(MY_VAR) && sleep 3600"]
   volumeMounts:
     - name: secretvolume
       mountPath: /etc/certs
 volumes:
   - name: secretvolume
     secret:
       secretName: kube-secret

</syntaxhighlightjs>


Deploy configMap 

kubectl apply -f configmap-pod.yaml
kubectl logs configmap-pod         #Get the logs from the pod displaying the value


Another way to provide values from a ConfigMap is to mount as a container's volume. The keys you can see within the container 

kubectl exec configmaps-volume-kube -- ls  /etc/config
kubectl exec configmaps-volume-kube -- cat /etc/config/key1


Secrets

Secrets types: 

SecretType = "Opaque"                                 // Opaque (arbitrary data; default)
SecretType = "kubernetes.io/service-account-token"    // Kubernetes auth token
SecretType = "kubernetes.io/dockercfg"                // Docker registry auth
SecretType = "kubernetes.io/dockerconfigjson"         // Latest Docker registry auth


Create secrets

kubectl create secret generic user-creds --from-literal=pass=pass123 --from-literal=user=john --save-config  -oyaml --dry-run=true --type=Opaque > secrets.yaml

<syntaxhighlightjs lang=yaml> apiVersion: v1 kind: Secret metadata: 

 creationTimestamp: null
 name: user-creds

data: # keys contain b64 encoded values 

 pass: cGFzczEyMw==
 user: am9obg==

type: Opaque </syntaxhighlightjs>


Another secret. stringData: specifying non-binary secret data in string form. It is provided as a write-only convenience method. All keys and values are merged into the data field on write. <syntaxhighlightjs lang=yaml> apiVersion: v1 kind: Secret metadata: 

 name: kube-secret

stringData: # literal string, keys' values will be b64 encoded on write 

 cert: 1234abc
 key: ca.crt

</syntaxhighlightjs>


Describe secrets 

kubectl describe secrets kube-secret
Name:         kube-secret
Namespace:    default
Labels:       <none>
Annotations:  
Type:         Opaque

Data
====
cert:  5 bytes
key:   5 bytes


Reference secrets in pod spec

kubectl create secret generic user-creds --from-literal=user=john --from-literal=password=pass123 --save-config -oyaml --type=Opaque  --dry-run=true
ConfigMap
As a environment Secrets mounted volume
<syntaxhighlightjs lang=yaml>

apiVersion: v1 kind: Pod metadata: 

 name: busybox-with-secret-env

spec: 

 containers:
 - name: busybox
   image: busybox
   command: ['sh', '-c', 'echo \"secret env variable VAR=$VAR\" && sleep 3600']
   env:
   - name: VAR
     valueFrom:
       secretKeyRef:
         name: user-creds
         key: password

</syntaxhighlightjs>


Verify 

kubectl logs busybox-with-secret-env
"secret env variable VAR=pass123"

kubectl exec -it busybox-with-secret-env -- /bin/env | grep VAR
VAR=pass123
 <syntaxhighlightjs lang=yaml>

apiVersion: v1 kind: Pod metadata: 

 name: busybox-with-secret-volume-mounted

spec: 

 containers:
 - name: busybox
   image: busybox
   command: ['sh', '-c', "echo \"Secret in the password file: $(cat /etc/user-creds/password)\" && sleep 3600"]
   volumeMounts:
     - name: secretvolume
       mountPath: /etc/user-creds # this will be a directory
       readOnly: true # optional
 volumes:
 - name: secretvolume
   secret:                    # key will be a file name
     secretName: user-creds   # with value in the content

</syntaxhighlightjs>

Verify 

kubectl logs busybox-with-secret-volume-mounted
Secret in the password file: pass123

kubectl -n secrets exec -it busybox-with-secret-volume-mounted -- /bin/ls -la /etc/user-creds
total 4 # note symlinks, these cause issues if you think to do cat /etc/user-creds/*
drwxrwxrwt    3 root     root           120 Oct 20 20:08 .
drwxr-xr-x    1 root     root          4096 Oct 20 20:08 ..
drwxr-xr-x    2 root     root            80 Oct 20 20:08 ..2019_10_20_20_08_32.538523033
lrwxrwxrwx    1 root     root            31 Oct 20 20:08 ..data -> ..2019_10_20_20_08_32.538523033
lrwxrwxrwx    1 root     root            15 Oct 20 20:08 password -> ..data/password
lrwxrwxrwx    1 root     root            11 Oct 20 20:08 user -> ..data/user

kubectl exec busybox-with-secret-volume-mounted -- /bin/cat /etc/user-creds/{user,password}; echo
johnpass123

References

Retrieved from ‘http://wiki.ciscolinux.co.uk/index.php?title=Kubernetes/ConfigMap_and_Secrets&oldid=4818