[Cloud Native Kubernetes] Configuration Management - Secret & ConfigMap

---

1. Confidential configuration abstraction Secret

A Secret is an object that contains a small amount of sensitive information such as a password, token, or secret key. Such information may be placed in the Pod specification or in the image. Using Secret means you don't need to include confidential data in your application code. Because Secrets can be created independently of the Pods that use them, there is less risk of exposing Secrets and their data in the workflow of creating, viewing, and editing Pods.

1. Get to know Secret

Secrets are used 数据加密, and they are stored in etcd, and then accessed by the Pod container by mounting the Volume. In general, the data stored is not plaintext, but it will be encoded or encrypted. For example, the common one base64is an encoding method.

Plaintext: Something that can be directly understood.

Use base64 encoding to output the string 'majinjian' as follows;

[root@master ~]# echo -n 'majinjian' | base64
bWFqaW5qaWFu
[root@master ~]# 

2. Use of Secret

(1) Create Secret encrypted data

First vi secret.yamlcreate a Secret encrypted data (.yaml file), enter the following;

apiVersion: v1
kind: Secret
metadata: 
  name: mysecret
type: Opaque
data: 
  username: cm9vdA==
  password: cXdlcnR5dWlvcDE5OTkuLg==

as follows:

Execute the yaml file after the creation is successful;

[root@master ~]# kubectl apply -f secret.yaml 

Check the secret at this point, you can see that mysecret has been created successfully;

(2) Mount the Secret to the pod container as a variable

vi secret-val.yamlCreate a new yaml file secret-val.yaml;

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: nginx
    image: nginx
    env:
      - name: SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: username
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: password

Among them: 'valueFrom' means mount as a variable, and the mount point is the mysecret we created in the previous step;

Execute the yaml file after the creation is successful;

[root@master ~]# kubectl apply -f secret-val.yaml 

At this point, check the pod in the node and wait for mypod to run (just in the running state);

Finally, enter the container to see if the variable has the value we mounted;

[root@master ~]# kubectl exec -it mypod bash

Use echo $变量名(e.g. echo $SECRET_USERNAME ) to view our stored variable value.

Second, configure the abstract ConfigMap

A ConfigMap is an API object used to store non-confidential data into key-value pairs. When used, Pods can use it as an environment variable, command-line parameter, or as a configuration file in a storage volume. ConfigMap will separate the environment configuration information from the container image, which is convenient for application configuration modification. But ConfigMap does not provide confidentiality or encryption.

1. Get to know ConfigMap

ConfigMap is similar to Secret, the difference is that Secret stores encrypted data, while ConfigMap stores it 不加密数据, and the stored procedure is basically the same as Secret.

2. Use of ConfigMap

Tip: Delete the previously created secret and container before the operation to facilitate the distinction.

[root@master ~]# kubectl delete secret --all
[root@master ~]# kubectl delete Pod --all

(1) Create a configuration file

The properties file to be created here vi redis.properties, enter the following;

redis.host=127.0.0.1
redis.port=6379
redis.password=123456

(2) Create ConfigMap

[root@master ~]# kubectl create configmap redis-config --from-file=redis.properties 
configmap/redis-config created
[root@master ~]# 

At this point, check the configmap (cm is its abbreviation), and it has been created successfully;

(3) Mount the ConfigMap to the pod container as a variable

vi myconfig.yamlCreate a configuration file myconfig.yaml file and enter the following;

apiVersion: v1
kind: ConfigMap
metadata:
  name: myconfig
  namespace: default
data:
  special.level: info
  special.type: hello

Execute the file after the creation is successful;

[root@master ~]# kubectl apply -f myconfig.yaml 
configmap/myconfig created

At this point, look at the ConfigMap again, and myconfig is also created successfully;

vi config-var.yamlCreate a mount file config-var.yaml file and enter the following content;

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
    - name: busybox
      image: busybox
      command: [ "/bin/sh", "-c", "echo $(LEVEL) $(TYPE)" ]
      env:
        - name: LEVEL
          valueFrom:
            configMapKeyRef:
              name: myconfig
              key: special.level
        - name: TYPE
          valueFrom:
            configMapKeyRef:
              name: myconfig
              key: special.type
  restartPolicy: Never

Execute the file after the creation is successful;

[root@master ~]# kubectl apply -f config-var.yaml 
pod/mypod created

The most popular is to view the container through the log, you can print out 'info hello', and the mount is complete;

[root@master ~]# kubectl logs mypod
[root@master ~]# info hello