Kubernetes, apps access configuration and secrets
This post is very short but it is critical to understand how config files or values are used in the Kubernetes environment. To simplify the explanations I have created screenshots of the YAML files I used.
Once the app is deployed and run in the cluster it may need to connect to databases and other services that need credentials to connect to, like user name, password, or secret token. This post address the best way to create and pass external configurations and credentials in Kubernetes.
Secrets and ConfigMap
Secret in Kubernetes is for sensitive data and ConfigMap is for regular configuration data. Information from each can be passed to applications in the pod in two different ways.
- As individual values using environment variables
The ConfigMap above describes the service we wish to config connection to it, which is straightforward.
The secret YAML file is also simple but pays attention to both user name and password must be Base64 encoded, and you won’t want to use plain text. As for the secret type, Kubernetes has several built-in secret types such as client-server TLS, SSH authentication, token, and more in this example I’m using the Opaque which is arbitrary user-defined data. Once the ConfigMap and secret YAML are ready you need to apply them and create a deployment that uses them, see the example below:
You can see in the screenshot below that the deployment contains the env part. that contains 3 names: MYSQL_USER, MYSQL_PWD and MYSQL_SERVER. In each, there is a reference to the above ConfigMap and secret YAML to the right variable values. You can see the indication for the value reference using the valueFrom key. Remember that the ConfigMap and Secret YAMLs must be applied before the deployment that uses them.
2. Configurations files using volumes
Think of a scenario in which your configuration is not based on user/password individual values. Often application uses configuration files instead of values. You may want to pass your configuration file to your application which contained some credentials as well. Passing values as above is not even an option. The question is how to create a configuration file and pass it to the pod configuration. We can continue using ConfigMap and secret files instead of just defining key-value pairs.
As you see below instead of defining values I have created mysql.conf file with app config you can insert once you use the pipe in YAML. If you want you can create more .conf files if needed.
As for the secret file, you should also Base64 the file you want to use and add it to the secret.file location
You may ask yourself what is the connections for volumes and how they are used. Volumes are mounted on the pod level (they are not persistent) and use the mount location to allow access to config and secret files you can see in the deployment file below. (see volumes and volumeMount and their reference)
As for permission, you can set permission as read-only for example to the files in the mountPath which is a folder that hosts the file all you need to do is add readOnly: true
Join my Linkedin