Kubernetes - Secret vs ConfigMap

Kubernetes - Secret vs ConfigMap

ยท

4 min read

After reading this post you will be understanding the high level of Kubernetes Secrets and ConfigMap, its advantages of this, and basic kubectl commands related to Secret and ConfigMap

If you have not yet checked the previous parts of this series, please go ahead and check this ๐Ÿ‘‰ Link

Kubernetes Secrets

Secrets are Kubernetes objects to manage a small amount of sensitive data like passwords, keys, and tokens with less than 1MB in size. Secrets encoded and stored inside Kubernetes master ETCD data store. Since Secrets will be created outside of pods and containers, these can be used any number of times.

Create Secret using YAML manifesto files

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  USER_NAME: YWRtaW4=
  PASSWORD: MWYyZDFlMmU2N2Rm

Create using kubectl create

kubectl create -f secret.yaml

Output

controlplane $ kubectl get secret
NAME       TYPE     DATA   AGE
mysecret   Opaque   2      27s

Deploy Secrets in Pods

kubectl create -f deploy.yaml

apiVersion: v1
kind: Pod
metadata:
    name: nginx
spec:
    containers:
    - name: nginx
      image: nginx
      volumeMounts:
      - name: secret-volume
        mountPath: /etc/secret
        readOnly: true
    volumes:
    - name: secret-volume
      secret:
        secretName: mysecret

Pod status

controlplane $ kubectl get pod
NAME    READY   STATUS    RESTARTS   AGE
nginx   1/1     Running   0          4m21s

How to verify the secrets

kubectl exec -it nginx bash --> login to that particular pod 

root@nginx:/# df -h
Filesystem      Size  Used Avail Use% Mounted on
overlay         9.6G  5.5G  4.1G  58% /
tmpfs            64M     0   64M   0% /dev
tmpfs           994M     0  994M   0% /sys/fs/cgroup
tmpfs           1.9G  8.0K  1.9G   1% /etc/secret
/dev/vda1       9.6G  5.5G  4.1G  58% /etc/hosts
shm              64M     0   64M   0% /dev/shm
tmpfs           1.9G   12K  1.9G   1% /run/secrets/kubernetes.io/serviceaccount
tmpfs           994M     0  994M   0% /proc/acpi
tmpfs           994M     0  994M   0% /proc/scsi
tmpfs           994M     0  994M   0% /sys/firmware

Add a volume section with type secret and with secretName(ie. mysecret already created) and then mount the secret volume to the container target location that is similar to mounting any other volumes.

ConfigMaps

ConfigMaps are used to separate container images and their custom configurations so that images are portable and can be run in any environment providing appropriate configuration. ConfigMap stores data in key, value format. If any configuration values are sensitive use Secret instead ConfigMap. It is a must to create ConfigMap beforehand if we need to refer to the pod spec.

Create ConfigMap using YAML manifesto files

apiVersion: v1 
kind: ConfigMap 
metadata:
  name: configmap 
data:
  # Configuration values can be set as key-value properties
  database: mongodb
  database_uri: mongodb://localhost:27017

  # Or set as complete file contents (even JSON!)
  keys: | 
    image.public.key=771 
    rsa.public.key=42
controlplane $ kubectl create -f configmap.yaml 
configmap/configmap created
controlplane $ kubectl get configmap
NAME               DATA   AGE
configmap          3      83s
kube-root-ca.crt   1      46d
controlplane $ cat pod.yaml 
apiVersion: v1 
kind: Pod 
metadata:
  name: pod-env-var 
spec:
  containers:
    - name: env-var-configmap
      image: nginx:1.7.9 
      envFrom:
        - configMapRef:
            name: configmap
controlplane $ kubectl get pod
NAME          READY   STATUS    RESTARTS   AGE
pod-env-var   1/1     Running   0          71s

In volumes, the section key is the file name created while configMap, and the path is the target location where data will be present inside the pod. in volumeMounts we provide the mountPath the target directory to mount the configMap volume.

Instead of volume mapping use environment variables and use configmap(ie. myconfig) to assign values. Verify the environment variables.

login to the particular pod and run the env for the testing

controlplane $ kubectl exec -it pod-env-var bash 
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@pod-env-var:/# 
root@pod-env-var:/# env
HOSTNAME=pod-env-var
TERM=xterm
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_HOST=10.96.0.1
database_uri=mongodb://localhost:27017
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
database=mongodb
PWD=/
NGINX_VERSION=1.7.9-1~wheezy
keys=image.public.key=771 
rsa.public.key=42

SHLVL=1
HOME=/root
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
_=/usr/bin/env
root@pod-env-var:/# exit

Mani difference between these two is Secrets will store confidential data but ConfigMap will store the data in nonconfidential

Hope you have got an idea about Kubernetes secret and ConfigMap and how we can implement them in our product environments

Happy Learning ๐Ÿ“š

Thank you!

Did you find this article valuable?

Support Cloudnloud Tech Community by becoming a sponsor. Any amount is appreciated!

ย