1.1 ConfigMap

1.1.1 Create Imperatively

kubectl create configmap <config-name> --from-literal=<key>=<value>

kubectl create configmap app-config --from-literal=APP_COLOR=blue \

--from-literal=APP_MOD=prod

kubectl create configmap <config-name> --from-file=<path-to-file>

kubectl create configmap app-config --from-file=app_config.properties

1.1.2 Create Declaratively

1.1.3 View

kubectl get configmaps
kubectl describe app-config

1.1.4 Use

1.2 Annotation

Annotations are used to record the details for information purpose while labels are used for selection.

1.3 Secret

Reference:

https://kubernetes.io/docs/concepts/configuration/secret/

1.3.1 Define

1.3.1.1 Declarative

kubectl create –f secret-data.yaml

secret-data.yaml

apiVersion: v1

kind: Secret

metadata:

name: app-secret

data:

DB_Host: mysql

DB_User: root

DB_Password: paswrd

Hash secret values (see Hash/Unhash Secret Value):

DB_Host: bXlzcWw=

DB_User: cm9vdA==

DB_Password: cGFzd3Jk

1.3.1.2 Imperative

kubectl Imperative create secret generic <secret-name> --from-literal=<key>=<value>

kubectl create secret generic app-secret --from-literal=DB_Host=mysql \

--from-literal=DB_User=root\

kubectl create secret generic <secret-name> --from-file=<path-to-file>

kubectl create secret generic app-secret --from-file=app_secret.properties \

--from-literal=DB_Password=paswrd

1.3.1.3 Hash/Unhash Secret Value

echo –n ‘mysql’ | base64

bXlzcWw=

echo –n ‘bXlzcWw=’ | base64 –decode

mysql

Base64 is not secure. And so the following practices will make secretes safer:

• Not checking-in secret object definition files to source code repositories.
• Enabling Encryption at Rest for Secrets so they are stored encrypted in ETCD.

1.3.2 View

kubectl get secrets

kubectl describe secrets

View the original definition file.

kubectl get secret app-secret –o yaml

1.3.3 Use

Inject the whole secret in a pod definition file.

spec:

containers:

envFrom

secretRef

name: app secret

Inject a single value

env:

name: DB_Password

valueFrom

secretKeyRef

name: app secret

key: DB_Password

Inject the whole secret as a volume

volumes:

name: app secret volume

secret:

secretName : app secret

>ls /opt/app-secret-volumes

DB_Host DB_Password DB_User

>cat /opt/app-secret-volumes/DB_Password

paswrd