Chapter 10

ConfigMaps and Secrets

In this session we will explore the need of ConfigMaps and Secrets and its usage.

ConfigMaps

In this session , we will explore the use of ConfigMaps.

If you want to customize the configuration of an application inside a Pod , you have to change the configuration files inside the container and then we have to wait for the application to re-read the updated configuration file.

When Pod lifecycle ends , the changes we made will be lost and we have to redo the same changes when the Pod comes-up.

This is not convenient and we need a better way to manage these configuration related operations.

To achieve a persistent configuration regardless of the Pod state , k8s introduced ConfigMaps.

We can store environmental variables or a file content or both using ConfigMaps in k8s.

Use the kubectl create configmap command to create configmaps from directories, files, or literal values:

where is the name you want to assign to the ConfigMap and is the directory, file, or literal value to draw the data from.

The data source corresponds to a key-value pair in the ConfigMap, where

key = the file name or the key you provided on the command line, and value = the file contents or the literal value you provided on the command line. You can use kubectl describe or kubectl get to retrieve information about a ConfigMap

Create ConfigMap from literals - Declarative

apiVersion: v1
kind: ConfigMap
metadata:
  name: myconfig
data:
  VAR1: val1

Create ConfigMap from literals - Imperative

$ kubectl create configmap myconfig --from-literal=VAR1=val1

Create ConfigMap from file - Declarative

apiVersion: v1
kind: ConfigMap
metadata:
  name: myconfig
data:
  configFile: |
    This content is coming from a file
    Also this file have multiple lines

Create ConfigMap from file - Imperative

$ cat <<EOF >configFile
This content is coming from a file
EOF

$ cat configFile

$ kubectl create configmap myconfig --from-file=configFile

Use ConfigMaps in Pods

Define a container environment variable with data from a single ConfigMap

Define an environment variable as a key-value pair in a ConfigMap:

$ kubectl create configmap special-config --from-literal=special.how=very

Assign the special.how value defined in the ConfigMap to the SPECIAL_LEVEL_KEY environment variable in the Pod specification.

apiVersion: v1
kind: Pod
metadata:
  name: test-pod
spec:
  containers:
    - name: test-container
      image: k8s.gcr.io/busybox
      command: [ "/bin/sh", "-c", "env" ]
      env:
        # Define the environment variable
        - name: SPECIAL_LEVEL_KEY
          valueFrom:
            configMapKeyRef:
              # The ConfigMap containing the value you want to assign to SPECIAL_LEVEL_KEY
              name: special-config
              # Specify the key associated with the value
              key: special.how
  restartPolicy: Never

Configure all key-value pairs in a ConfigMap as container environment variables

Create a ConfigMap containing multiple key-value pairs.

apiVersion: v1
kind: ConfigMap
metadata:
  name: special-config
  namespace: default
data:
  SPECIAL_LEVEL: very
  SPECIAL_TYPE: charm

Use envFrom to define all of the ConfigMap’s data as container environment variables. The key from the ConfigMap becomes the environment variable name in the Pod.

apiVersion: v1
kind: Pod
metadata:
  name: dapi-test-pod
spec:
  containers:
    - name: test-container
      image: k8s.gcr.io/busybox
      command: [ "/bin/sh", "-c", "env" ]
      envFrom:
      - configMapRef:
          name: special-config
  restartPolicy: Never

More about configmap can bre read from below link. https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/

Create Secret

A Secret is an object that contains a small amount of sensitive data

To use a secret, a pod needs to reference the secret. A secret can be used with a pod in two ways: as files in a volume mounted on one or more of its containers, or used by kubelet when pulling images for the pod

Secrets will be stored as base64 encoded values and it will be used mostly during creation of an object

Creating Secrets

From variables

$ kubectl create secret generic my-secret --from-literal=password=mypassword --dry-run -o yaml

From files

$ kubectl create secret generic my-secret --from-file=user=user.txt --from-file=password.txt --dry-run -o yaml

$ echo root >user.txt
$ echo password >password.txt

$ kubectl create secret generic my-secret --from-file=user=user.txt --from-file=password=password.txt --dry-run -o yaml

Use Secret in Pods

Using secrets

We can use secrets as environmental variable as well as mounts inside a Pod

Injecting as environmental variable

$ vi pod-secret.yaml

apiVersion: v1       
kind: Pod
metadata:
  labels:
    run: debugger    
  name: debugger     
spec:     
  containers:        
  - image: ansilh/debug-tools   
    name: debugger   
    env:  
    - name: USER     
      valueFrom:     
       secretKeyRef:
        name: my-secret         
        key: user    
    - name: PASSWORD
      valueFrom:     
       secretKeyRef:
        name: my-secret         
        key: password

$ kubectl create -f pod-secret.yaml

$ kubectl get pods      
NAME       READY   STATUS    RESTARTS   AGE   
debugger   1/1     Running   0          17s

Logon to container and verify the environmental variables

$ kubectl exec -it debugger -- /bin/sh

Verify environment variables inside Pod

/ # echo $USER        
root       
/ # echo $PASSWORD    
mypassword
/ #

Delete the Pod

$ kubectl delete pod debugger

Mounting as files using volumes

$ vi pod-secret.yaml

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: debugger
  name: debugger
spec:
  volumes:
  - name: secret
    secret:
     secretName: my-secret
  containers:
  - image: ansilh/debug-tools
    name: debugger
    volumeMounts:
    - name: secret
      mountPath: /data

$ kubectl create -f pod-secret.yaml

$ kubectl exec -it debugger -- /bin/sh

/ # cd /data        
/data #             
/data # cat user    
root                
/data # cat password
mypassword          
/data #