[Kubernetes] Configurations

Kubernetes provides many ways to configure pods and containers.

ConfigMaps

Kubernetes manages application configurations in the form of ConfigMaps. ConfigMaps store configuration data as key/value pairs and provide them to containers.

ConfigMaps can be accessed from a pod using:

  • Environment variables (as key/value pairs)
  • ConfigMap Volume (as files)

Creating ConfigMaps

  • Creating a ConfigMap from literals:
kubectl create configmap <name> --from-literal=<key>=<value>

kubectl create configmap my-config-map \
  --from-literal=APP-TYPE=web \
  -–from-literal=APP-MODE=dev

kubectl get cm
kubectl describe cm my-config-map
kubectl get cm my-config-map -o yaml > my-config-map.yaml
  • Creating a ConfigMap using the definition file:
apiVersion: v1   
kind: ConfigMap
metadata:  
  name: my-config-map
data:
  key1: value1
  APP-TYPE: web
  APP-MODE: dev
  • Creating a ConfigMap from a config file: It will create an only 1 entry.
# key: file name, value: the list of key/value pairs
kubectl create cm my-config-map --from-file=my-config.config  

# my-config.config
key1=value1
key2=value2

# matching yaml
data:
  my-config.config: 
    key1=value1
    key2=value2
  • Creating a ConfigMap from a map file: It will create key/value pairs.
# file name is not a key. key: key, value: value
kubectl create cm my-config-map --from-env-file=my-config.env   

# my-config.env
key1=value1
key2=value2

# matching yaml
data:
  key1: value1
  key2: value2
  • Checking ConfigMaps:
kubectl get cm

kubectl describe cm my-config-map

kubectl delete cm my-config-map

Secrets

It is not a good idea to save sensitive data (such as passwords) in ConfigMaps. Instead, you can use Secrets.

  • Secrets are not encrypted. They are only encoded (base64).
  • There are better options to save sensitive data such as Helm Secrets or HashiCorp Vault.

Creating Secrets declaratively

The value is encoded automatically.

kubectl create secret generic my-secret \
  --from-literal=pw=mypassword

kubectl get secret
kubectl describe secret my-secret

# with encoded values
kubectl get secret my-secret -o yaml > secret.yaml

Creating Secrets imperatively

You need to encode (base64) values manually.

# encode
echo -n 'root' | base64  

# decode
echo -n 'cm9vdA==' | base64 -d
apiVersion: v1   
kind: Secret
metadata: 
  name: my-secret
data:
  key1: value1
  user: cm9vdA==
  pw: bXlwYXNzd29yZA==

Using Environment Variables

You can set the environment values in 3 ways. And the you can access the value using $(ENV-NAME).

  • Plain Key/Value
  • ConfigMap
  • Secret

At first, you can simply use the key/value pair.

apiVersion: v1   
kind: Pod
metadata:  
  name: my-app
spec:
  containers: 
  - name: my-container
    image: busybox
    command: ['echo'] 
    args: ['$(APP-TYPE)']
    env:
    - name: APP-TYPE
      value: prod

You can access the configuration values as environment variables using the “configMapRef” and “configMapKeyRef

  • Configure all key-value pairs
spec:
  containers:
  - name: my-container
    image: busybox
    command: ['echo'] 
    args: ['$(APP-TYPE)']
    envFrom:
    - configMapRef:
        name: my-config-map
  • Configure a single value:
spec:
  containers:
  - name: my-container
    image: busybox
    command: ['echo'] 
    args: ['$(APP-TYPE)']
    env:
    - name: APP-TYPE
      valueFrom:
        configMapKeyRef:
          name: my-config-map
          key: APP-TYPE

Finally, you can retrieve the value from the Secrets.

spec:
  containers:
  - name: my-container
    image: busybox
    command: ['echo'] 
    args: ['$(APP-TYPE)']
    env:
    - name: APP-TYPE
      valueFrom:
        secretKeyRef:
          name: my-secret
          key: APP-TYPE

Using Secrets

spec:
  containers:
  - name: my-container
    image: busybox
    command: ['echo']
    args: ['$(user)']
    envFrom:
    - secretRef:
        name: my-secret
spec:
  containers:
  - name: my-container
    image: busybox
    command: ['echo']
    args: ['$(user)']
    env:
    - name: APP-TYPE
      valueFrom:
        secretKeyRef:
          name: my-secret
          key: user

Mounting as a volume with ConfigMaps

  • Each ConfigMap key becomes a file in the volume.
spec:
  containers:
  - name: my-container
    image: busybox
    command: ['echo'] 
    args: ['$(APP-TYPE)']
    volumeMounts:
    - mountPath: /etc/config
      name: config-volume
  volumes:
  - name: config-volume
    configMap: 
      name: my-config-map
  restartPolicy: Never

Mounting as a volume with Secrets

  • Each secret becomes a file in the volume.
spec:
  containers:
  - name: my-container
    image: busybox
    command: ['echo']
    args: ['$(user)']
    volumeMounts:
    - mountPath: /etc/config
      name: secret-volume
  volumes:
  - name: secret-volume
    secret:
      secretName: my-secret
  restartPolicy: Never

    Leave a Comment

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )

    Connecting to %s