Day 3 of Week 2 of #CloudNativeNewYear!
The theme for this week is Kubernetes fundamentals. Yesterday we talked about Services and Ingress. Today we'll explore the topic of passing configuration and secrets to our applications in Kubernetes with ConfigMaps and Secrets.
Watch the recorded demo and conversation about this week's topics.
We were live on YouTube walking through today's (and the rest of this week's) demos.
What We'll Cover
- Decouple configurations with ConfigMaps and Secerts
- Passing Environment Data with ConfigMaps and Secrets
Decouple configurations with ConfigMaps and Secerts
A ConfigMap is a Kubernetes object that decouples configuration data from pod definitions. Kubernetes secerts are similar, but were designed to decouple senstive information.
Separating the configuration and secerts from your application promotes better organization and security of your Kubernetes environment. It also enables you to share the same configuration and different secerts across multiple pods and deployments which can simplify scaling and management. Using ConfigMaps and Secerts in Kubernetes is a best practice that can help to improve the scalability, security, and maintainability of your cluster.
By the end of this tutorial, you'll have added a Kubernetes ConfigMap and Secret to the Azure Voting deployment.
Passing Environment Data with ConfigMaps and Secrets
📝 NOTE: If you don't have an AKS cluster deployed, please head over to Azure-Samples/azure-voting-app-rust, clone the repo, and follow the instructions in the README.md to execute the Azure deployment and setup your
kubectlcontext. Check out the first post this week for more on the environment setup.
Create the ConfigMap
ConfigMaps can be used in one of two ways; as environment variables or volumes.
For this tutorial you'll use a ConfigMap to create three environment variables inside the pod; DATABASE_SERVER, FISRT_VALUE, and SECOND_VALUE. The DATABASE_SERVER provides part of connection string to a Postgres. FIRST_VALUE and SECOND_VALUE are configuration options that change what voting options the application presents to the users.
Follow the below steps to create a new ConfigMap:
Create a YAML file named 'config-map.yaml'. In this file, specify the environment variables for the application.
Create the config map in your Kubernetes cluster by running the following command:
kubectl create -f config-map.yaml
Create the Secret
deployment-app.yaml are Kubernetes manifests that deploy the Azure Voting App. Currently, those deployment manifests contain the environment variables
DATABASE_PASSWORD with the value stored as plain text. Your task is to replace that environment variable with a Kubernetes Secret.
Create a Secret running the following commands:
echo -n "mypassword" | base64
Create a YAML file named
secret.yaml. In this file, add
POSTGRES_PASSWORDas the key and the encoded value returned above under as the value in the data section.
Create the Secret in your Kubernetes cluster by running the following command:
kubectl create -f secret.yaml
[!WARNING] base64 encoding is a simple and widely supported way to obscure plaintext data, it is not secure, as it can easily be decoded. If you want to store sensitive data like password, you should use a more secure method like encrypting with a Key Management Service (KMS) before storing it in the Secret.
Modify the app deployment manifest
With the ConfigMap and Secert both created the next step is to replace the environment variables provided in the application deployment manuscript with the values stored in the ConfigMap and the Secert.
Complete the following steps to add the ConfigMap and Secert to the deployment mainifest:
Open the Kubernetes manifest file
In the containers section, add an
envFromsection and upate the
- name: DATABASE_PASSWORD
envFromexposes all the values witin the ConfigMap as environment variables. Making it so you don't have to list them individually.
Save the changes to the deployment manifest file.
Apply the changes to the deployment by running the following command:
kubectl apply -f deployment-app.yaml
Modify the database deployment manifest
Next, update the database deployment manifest and replace the plain text environment variable with the Kubernetes Secert.
To add the secret to the deployment, replace the env section with the following code:
- name: POSTGRES_PASSWORD
Apply the updated manifest.
kubectl apply -f deployment-db.yaml
Verify the ConfigMap and output environment variables
Verify that the ConfigMap was added to your deploy by running the following command:
kubectl describe deployment azure-voting-app
Browse the output until you find the
envFrom section with the config map reference.
You can also verify that the environment variables from the config map are being passed to the container by running the command
kubectl exec -it <pod-name> -- printenv. This command will show you all the environment variables passed to the pod including the one from configmap.
By following these steps, you will have successfully added a config map to the Azure Voting App Kubernetes deployment, and the environment variables defined in the config map will be passed to the container running in the pod.
Verify the Secret and describe the deployment
Once the secret has been created you can verify it exists by running the following command:
kubectl get secrets
You can view additional information, such as labels, annotations, type, and the Data by running kubectl describe:
kubectl describe secret azure-voting-secret
By default, the describe command doesn't output the encoded value, but if you output the results as JSON or YAML you'll be able to see the secret's encoded value.
kubectl get secret azure-voting-secret -o json
In conclusion, using ConfigMaps and Secrets in Kubernetes can help to improve the scalability, security, and maintainability of your cluster. By decoupling configuration data and sensitive information from pod definitions, you can promote better organization and security in your Kubernetes environment. Additionally, separating these elements allows for sharing the same configuration and different secrets across multiple pods and deployments, simplifying scaling and management.
Enroll in the Cloud Skills Challenge!
Don't miss out on this opportunity to level up your skills and stay ahead of the curve in the world of cloud native.