Kubernetes: Centralized Configuration Data And Secrets
Why we need Configuration as Data?
We need Configuration as centralised data as it fulfils the below-mentioned criteria:
- Abstraction: If the Configuration is external to the container, Kubernetes can destroy and create pods independent of the actual state of the container.
- Reusability: Same configuration data can be used by one or many pods. We might not want to share the storing configuration information inside a container which we might share publicly.
- Service discover: We can use Configuration data to locate service in and out of the cluster.
- Data Protection: We need to be able to protect sensitive information. By using storing configuration as data inside of our cluster, we can keep passwords outside of the container image and easily share the image with anyone we want.
Runtime Configuration Injection through Object Reference :
This can be done in pods via 2 ways: ConfigMap and Secret
Let’s first go through ConfigMap and than later with secrets.
ConfigMap
A ConfigMap is an API object used to store non-confidential data in key-value pairs. A ConfigMap allows you to decouple environment-specific configuration from your container images so that your applications are easily portable. It is having 2 parts: One is to create and Other is to consume it.
To create a ConfigMap object, we’ve to add a kubectl command called kubectl create configmap that offers three different ways to specify key-value pairs:
Commands to Create ConfigMap (imperative) :
# Literals
Case 1. Create a new configmap named my-config with key1=config1
kubectl create configmap my-config --from-literal=key1=config1
Case 2.Create a new configmap named my-config with key1=config1 and key2=config2 (meaning with numbers of key-value pairs)
kubectl create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2
# Individual file with environment variableskubectl create configmap my-config --from-env-file=config.txt
# File or directorykubectl create configmap my-config --from-file=config.txt
ConfigMap does not provide secrecy or encryption. If the data you want to store are confidential, use a Secret rather than a ConfigMap, or use additional (third party) tools to keep your data private e.g. Ansible
Creating ConfigMaps (Declarative):
Meaning we first start by configuring the .yaml
Mounting/Consuming a ConfigMap:
- Injected as environment variables
- Mounted as volume
Secrets:
Kubernetes Secrets let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys. Storing confidential information in a Secret is safer and more flexible than putting it in a Pod definition or a container image.
Creating secrets is very much similar to configMap, the main difference is that secrets use base64-encoded value.
Let’s see how to create secrets using imperative way.
Commands to Create Secrets (imperative) :
# Literals
Create a new secret named my-secret with pwd=admin
kubectl create secret generic db-secret --from-literal=pwd=admin
# file with environment variableskubectl create secret generic db-secret --from-env-file=secret.env
# SSH key Filekubectl create secret generic ssh-key-secret --from-file=ssh-privatekey=/path/to/.ssh/id_rsa
Creating Secrets (Declarative):
Meaning we first start by configuring the .yaml
For that, we first need to manually encode into base64.
The name of a Secret object must be a valid DNS subdomain name. The Secret contains two maps: data and stringData. The data is used to store arbitrary data, encoded using base64, stringData is provided for convenience and allows you to provide secret data as unencoded strings.
echo -n 'admin' | base64
You need to put the value in the above command for which you want secret instead of ‘admin’.
Once you get the secret than put the value in YAML like :
Secrets in Pods as Volume :
Value has to be encoded into base64, manually.
Conclusion:
I hope this article will be helpful to get a step by step understanding of configuring in Kubernetes, especially for the beginners.
Share your feedback/response, it motivates to write more articles and more videos.
