Chapter 6: Managing Configuration with ConfigMaps and Secrets

Leave a reply

What Are ConfigMaps and Secrets?

ConfigMaps

A ConfigMap is a Kubernetes object used to store non-sensitive configuration data as key-value pairs. It allows separating configuration from application code.

Use Case Examples:

  • Environment variables.
  • Command-line arguments.
  • Configuration files.

Secrets

A Secret is similar to a ConfigMap but is designed to store sensitive data such as passwords, tokens, and keys. Secrets encrypt data at rest and control access better.

Use Case Examples:

  • Database credentials.
  • API keys.
  • TLS certificates.

Why Use ConfigMaps and Secrets?

  1. Separation of Concerns: Decouple application configuration from code.
  2. Dynamic Updates: Modify configurations without redeploying the application.
  3. Security: Store and manage sensitive information securely (Secrets).

Creating and Using ConfigMaps

Step 1: Create a ConfigMap

Using a YAML File

Save the following as configmap-example.yaml:

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  APP_ENV: production
  APP_DEBUG: "false"
  LOG_LEVEL: info

Apply the ConfigMap:

kubectl apply -f configmap-example.yaml

Using kubectl Directly

kubectl create configmap app-config \
  --from-literal=APP_ENV=production \
  --from-literal=APP_DEBUG=false

Step 2: Use a ConfigMap in a Pod

Update your Deployment YAML to use the ConfigMap (deployment-with-configmap.yaml):

apiVersion: apps/v1
kind: Deployment
metadata:
  name: app-deployment
spec:
  replicas: 2
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
      - name: my-app
        image: nginx
        env:
        - name: APP_ENV
          valueFrom:
            configMapKeyRef:
              name: app-config
              key: APP_ENV
        - name: APP_DEBUG
          valueFrom:
            configMapKeyRef:
              name: app-config
              key: APP_DEBUG

Apply the Deployment:

kubectl apply -f deployment-with-configmap.yaml

Verify ConfigMap Usage

1. Get the Pod name:

    kubectl get pods

    2. Inspect the environment variables:

    kubectl exec <pod-name> -- env

    Creating and Using Secrets

    Step 1: Create a Secret

    Using a YAML File

    Save this as secret-example.yaml:

    apiVersion: v1
kind: Secret
metadata:
  name: db-credentials
type: Opaque
data:
  username: cG9zdGdyZXM=  # Base64 encoded "postgres"
  password: cGFzc3dvcmQ=  # Base64 encoded "password"

    Apply the Secret:

    kubectl apply -f secret-example.yaml

    Using kubectl Directly

    kubectl create secret generic db-credentials \
  --from-literal=username=postgres \
  --from-literal=password=password\

    Step 2: Use a Secret in a Pod

    Update your Deployment YAML to use the Secret (deployment-with-secret.yaml):

    apiVersion: apps/v1
kind: Deployment
metadata:
  name: app-deployment
spec:
  replicas: 2
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
      - name: my-app
        image: nginx
        env:
        - name: DB_USERNAME
          valueFrom:
            secretKeyRef:
              name: db-credentials
              key: username
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: db-credentials
              key: password

    Apply the Deployment:

    kubectl apply -f deployment-with-secret.yaml

    Verify Secret Usage

    Inspect the environment variables:

    kubectl exec <pod-name> -- env

    Mounting ConfigMaps and Secrets as Files

    Mount a ConfigMap as a Volume

    Update your Deployment YAML (configmap-volume-example.yaml):

    apiVersion: apps/v1
kind: Deployment
metadata:
  name: app-deployment
spec:
  replicas: 2
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
      - name: my-app
        image: nginx
        volumeMounts:
        - name: config-volume
          mountPath: "/etc/config"
      volumes:
      - name: config-volume
        configMap:
          name: app-config

    Apply the Deployment:

    kubectl apply -f configmap-volume-example.yaml

    Access the mounted ConfigMap:

    kubectl exec <pod-name> -- cat /etc/config/APP_ENV

    Mount a Secret as a Volume

    Update your Deployment YAML (secret-volume-example.yaml):

    apiVersion: apps/v1
kind: Deployment
metadata:
  name: app-deployment
spec:
  replicas: 2
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
      - name: my-app
        image: nginx
        volumeMounts:
        - name: secret-volume
          mountPath: "/etc/secrets"
      volumes:
      - name: secret-volume
        secret:
          secretName: db-credentials

    Apply the Deployment:

    kubectl apply -f secret-volume-example.yaml

    Access the mounted Secret:

    kubectl exec <pod-name> -- cat /etc/secrets/username

    Best Practices

    1. Use Secrets for Sensitive Data: Never store sensitive data in ConfigMaps.
    2. Encrypt Secrets: Enable encryption at rest in the Kubernetes cluster.
    3. Restrict Access: Use Role-Based Access Control (RBAC) to limit access to ConfigMaps and Secrets.
    4. Version Control ConfigMaps: Track changes using tools like GitOps.

    Monitoring and Troubleshooting

    Check Existing ConfigMaps and Secrets

    kubectl get configmaps
kubectl get secrets

    Inspect Contents (Non-sensitive Data)

    kubectl describe configmap app-config
kubectl describe secret db-credentials

    Decode Secret Data

    kubectl get secret db-credentials -o yaml | grep password | awk '{print $2}' | base64 --decode

    Conclusion

    By mastering ConfigMaps and Secrets, you’ve learned:

    1. How to manage configurations and sensitive data.
    2. Dynamic configuration updates for applications.
    3. Secure handling of sensitive information.

    Leave a Reply