After reading this post you will be understanding the high level of Kubernetes Secrets and ConfigMap, its advantages of this, and basic kubectl commands related to Secret and ConfigMap
If you have not yet checked the previous parts of this series, please go ahead and check this ๐ Link
Kubernetes Secrets
Secrets are Kubernetes objects to manage a small amount of sensitive data like passwords, keys, and tokens with less than 1MB in size. Secrets encoded and stored inside Kubernetes master ETCD data store. Since Secrets will be created outside of pods and containers, these can be used any number of times.
Create Secret using YAML manifesto files
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
USER_NAME: YWRtaW4=
PASSWORD: MWYyZDFlMmU2N2Rm
Create using kubectl create
kubectl create -f secret.yaml
Output
controlplane $ kubectl get secret
NAME TYPE DATA AGE
mysecret Opaque 2 27s
Deploy Secrets in Pods
kubectl create -f deploy.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- name: secret-volume
mountPath: /etc/secret
readOnly: true
volumes:
- name: secret-volume
secret:
secretName: mysecret
Pod status
controlplane $ kubectl get pod
NAME READY STATUS RESTARTS AGE
nginx 1/1 Running 0 4m21s
How to verify the secrets
kubectl exec -it nginx bash --> login to that particular pod
root@nginx:/# df -h
Filesystem Size Used Avail Use% Mounted on
overlay 9.6G 5.5G 4.1G 58% /
tmpfs 64M 0 64M 0% /dev
tmpfs 994M 0 994M 0% /sys/fs/cgroup
tmpfs 1.9G 8.0K 1.9G 1% /etc/secret
/dev/vda1 9.6G 5.5G 4.1G 58% /etc/hosts
shm 64M 0 64M 0% /dev/shm
tmpfs 1.9G 12K 1.9G 1% /run/secrets/kubernetes.io/serviceaccount
tmpfs 994M 0 994M 0% /proc/acpi
tmpfs 994M 0 994M 0% /proc/scsi
tmpfs 994M 0 994M 0% /sys/firmware
Add a volume section with type secret and with secretName(ie. mysecret already created) and then mount the secret volume to the container target location that is similar to mounting any other volumes.
ConfigMaps
ConfigMaps are used to separate container images and their custom configurations so that images are portable and can be run in any environment providing appropriate configuration. ConfigMap stores data in key, value format. If any configuration values are sensitive use Secret instead ConfigMap. It is a must to create ConfigMap beforehand if we need to refer to the pod spec.
Create ConfigMap using YAML manifesto files
apiVersion: v1
kind: ConfigMap
metadata:
name: configmap
data:
# Configuration values can be set as key-value properties
database: mongodb
database_uri: mongodb://localhost:27017
# Or set as complete file contents (even JSON!)
keys: |
image.public.key=771
rsa.public.key=42
controlplane $ kubectl create -f configmap.yaml
configmap/configmap created
controlplane $ kubectl get configmap
NAME DATA AGE
configmap 3 83s
kube-root-ca.crt 1 46d
controlplane $ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-env-var
spec:
containers:
- name: env-var-configmap
image: nginx:1.7.9
envFrom:
- configMapRef:
name: configmap
controlplane $ kubectl get pod
NAME READY STATUS RESTARTS AGE
pod-env-var 1/1 Running 0 71s
In volumes, the section key is the file name created while configMap, and the path is the target location where data will be present inside the pod. in volumeMounts we provide the mountPath the target directory to mount the configMap volume.
Instead of volume mapping use environment variables and use configmap(ie. myconfig) to assign values. Verify the environment variables.
login to the particular pod and run the env for the testing
controlplane $ kubectl exec -it pod-env-var bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@pod-env-var:/#
root@pod-env-var:/# env
HOSTNAME=pod-env-var
TERM=xterm
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_HOST=10.96.0.1
database_uri=mongodb://localhost:27017
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
database=mongodb
PWD=/
NGINX_VERSION=1.7.9-1~wheezy
keys=image.public.key=771
rsa.public.key=42
SHLVL=1
HOME=/root
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
_=/usr/bin/env
root@pod-env-var:/# exit
Mani difference between these two is Secrets will store confidential data but ConfigMap will store the data in nonconfidential
Hope you have got an idea about Kubernetes secret and ConfigMap and how we can implement them in our product environments
Happy Learning ๐
Thank you!