Configuration
1.1 ConfigMap
1.1.1 Create Imperatively
kubectl create configmap <config-name> --from-literal=<key>=<value>
kubectl create configmap app-config --from-literal=APP_COLOR=blue \
--from-literal=APP_MOD=prod
kubectl create configmap <config-name> --from-file=<path-to-file>
kubectl create configmap app-config --from-file=app_config.properties
1.1.2 Create Declaratively
1.1.3 View
kubectl get configmaps
kubectl describe app-config
1.1.4 Use
1.2 Annotation
Annotations are used to record the details for information purpose while labels are used for selection.
1.3 Secret
Reference:
https://kubernetes.io/docs/concepts/configuration/secret/
1.3.1 Define
1.3.1.1 Declarative
kubectl create –f secret-data.yaml
secret-data.yaml
apiVersion: v1
kind: Secret
metadata:
name: app-secret
data:
DB_Host: mysql
DB_User: root
DB_Password: paswrd
Hash secret values (see Hash/Unhash Secret Value):
DB_Host: bXlzcWw=
DB_User: cm9vdA==
DB_Password: cGFzd3Jk
1.3.1.2 Imperative
kubectl Imperative create secret generic <secret-name> --from-literal=<key>=<value>
kubectl create secret generic app-secret --from-literal=DB_Host=mysql \
--from-literal=DB_User=root\
kubectl create secret generic <secret-name> --from-file=<path-to-file>
kubectl create secret generic app-secret --from-file=app_secret.properties \
--from-literal=DB_Password=paswrd
1.3.1.3 Hash/Unhash Secret Value
echo –n ‘mysql’ | base64
bXlzcWw=
echo –n ‘bXlzcWw=’ | base64 –decode
mysql
Base64 is not secure. And so the following practices will make secretes safer:
- Not checking-in secret object definition files to source code repositories.
- Enabling Encryption at Rest for Secrets so they are stored encrypted in ETCD.
1.3.2 View
kubectl get secrets
kubectl describe secrets
View the original definition file.
kubectl get secret app-secret –o yaml
1.3.3 Use
Inject the whole secret in a pod definition file.
spec:
containers:
envFrom
secretRef
name: app secret
Inject a single value
env:
name: DB_Password
valueFrom
secretKeyRef
name: app secret
key: DB_Password
Inject the whole secret as a volume
volumes:
name: app secret volume
secret:
secretName : app secret
>ls /opt/app-secret-volumes
DB_Host DB_Password DB_User
>cat /opt/app-secret-volumes/DB_Password
paswrd