Day 19/40 Days of K8s: ConfigMap and Secret in Kubernetes !! ☸️

🤔 Need for ConfigMaps and Secrets in Kubernetes?

Let’s just say we have a web application that needs environment variables for configuration. However, managing these variables directly in multiple YAML manifests can become hard and repetitive process. Instead, using ConfigMaps and Secrets provides a standardized approach to store and reference identical environment variables across different manifests seamlessly.

❓How Both are different from each other in k8s?

ConfigMap: Stores the external configuration of the application in the form of key value pairs, inject them at the pod level using different methods.
Ex: non-sensitive data like application configuration.

Secret: Stores the secrets or sensitive data(passwords,tokens) ,inject them at the pod level using different methods.

💁 Scenario

Consider that we have a web application that uses a MongoDB database to store and retrieve data. To ensure proper communication between the web application and the MongoDB Pod, the web app needs specific configuration and credentials.

The ConfigMap will store general configuration data like USERNAME,APP_NAME, APP_ENV, MONGO_HOST and the Secret will store sensitive data like database credentials.

✴ TASK

Now, let's create ConfigMap,Secret,Pod to understand it better.....

1. Create the ConfigMap

Stores the external configuration of the application.

kubectl create configmap app-cm --from-literal=firstname=vivek --from-literal=lastname=manne

2. Create the Secret

Use this imperative command to create generic type of secret.

kubectl create secret generic app-secret --from-literal=username=vivi \
--from-literal=password=CKASeries2024

NOTE: By default k8s does the base64 encoding for secrets, anyone who has access to the encoded data can easily decode it but we need to ensure stricter access control,using additional security measures such as encrypting secrets at rest alongside external secret management solutions like Hashicorp vault integration with k8s secrets. 

Now, as you can see above that our secrets are base64 encoded.

3. Create the pod referencing configMap using attribute configMapKeyRef

apiVersion: v1
kind: Pod
metadata:
  name: myapp-pod
  labels:
    app.kubernetes.io/name: MyApp
spec:
  containers:
  - name: myapp-container
    image: busybox:1.28
    env:
    - name: FIRSTNAME 
      valueFrom:
          configMapKeyRef:
            name: app-cm
            key: firstname 
    - name: LASTNAME
      valueFrom:
          configMapKeyRef:
            name: app-cm
            key: lastname
    command: ['sh','-c', 'echo The application is running && sleep 3600']

4. Now, exec into the pod and look for env var

   

5. Now, add reference of secret using attribute SecretKeyRef to the pod

   Either Configure the existing pod forcefully or delete the pod and recreate once again

    apiVersion: v1
    kind: Pod
    metadata:
      name: myapp-pod
      labels:
        app.kubernetes.io/name: MyApp
    spec:
      containers:
      - name: myapp-container
        image: busybox:1.28
        env:
        - name: FIRSTNAME
          valueFrom:
              configMapKeyRef:
                name: app-cm
                key: firstname 
        - name: LASTNAME
          valueFrom:
              configMapKeyRef:
                name: app-cm
                key: lastname
        - name: USERNAME
          valueFrom:
              secretKeyRef:
                name: app-secret
                key: username
        - name: PASSWORD
          valueFrom:
              secretKeyRef:
                name: app-secret
                key: password
        command: ['sh','-c', 'echo The application is running && sleep 3600']
   

6. Now, exec into the pod again and look for env var of secretRef

   

✴ Different ways to reference configMap data into the pod

1. Reference env variables inside the pod using valueFrom,configMapKeyRef,secretKeyRef (As we covered this in the above example)

2. UseenvFromto define all of the ConfigMap's data as container environment variables.

3. Define the ConfigMap name under the volumes section and mount it inside the container at a specified mountPath

✅ Use envFrom to define all of the ConfigMap's data as container environment variables.

1. Create a Pod using this yaml, here we used configMapRef, secretRef attributes

    apiVersion: v1
    kind: Pod
    metadata:
      name: myapp-pod-1
      labels:
        app.kubernetes.io/name: MyApp
    spec:
      containers:
      - name: myapp-container
        image: busybox:1.28
        envFrom:
        - configMapRef:
              name: app-cm
        - secretRef:
              name: app-secret
        command: ['sh','-c', 'echo The application is running && sleep 3600']
   

   2. Now, exec into the pod and look for env variables

We referenced entire ConfigMap's and Secret's data as container environment variables. The key named firstname from the ConfigMap and key named password from Secret have become the environment variable names in the Pod.

✅ Define the ConfigMap name under the volumes section and mount it inside the container at a specified mountPath

1. Create a Pod using this yaml,

    apiVersion: v1
    kind: Pod
    metadata:
      name: myapp-pod-2
      labels:
        app.kubernetes.io/name: MyApp
    spec:
      containers:
      - name: myapp-container
        image: busybox:1.28
        volumeMounts:
        - name: config-volume
          mountPath: /etc/config
        - name: secret-volume
          mountPath: /etc/secret
        command: ['sh', '-c', 'echo The application is running && sleep 3600']
      volumes:
      - name: config-volume
        configMap:
          name: app-cm
      - name: secret-volume
        secret:
          secretName: app-secret
   

   2. Now, exec into the pod and look for env variables inside the container paths we set.

      

All of these methods provides a different way to utilize ConfigMaps,Secrets within the Pod, depending on our specific requirements.

#Kubernetes #ConfigMap #Secret #40DaysofKubernetes #CKASeries