Exploring ConfigMaps and Secrets in Kubernetes: A Hands-On Guide to Managing Configuration and Sensitive Data
In the world of Kubernetes, managing configuration data and sensitive information is crucial for running applications effectively and securely. ConfigMaps and Secrets are two essential Kubernetes resources that provide solutions for handling configuration and secret management. In this hands-on project article, we will delve into the world of ConfigMaps and Secrets, exploring their concepts, use cases, and practical implementation.
First, we will understand what ConfigMaps are and how they enable us to decouple configuration settings from application code. ConfigMaps provide a way to store non-sensitive configuration data such as environment variables, command-line arguments, and configuration files. We will learn how to create ConfigMaps using YAML or CLI commands and explore different ways to consume ConfigMaps in applications, such as mounting them as volumes or passing them as environment variables to pods.
Next, we will dive into Secrets, a powerful mechanism for securely managing sensitive information in Kubernetes. Secrets are specifically designed to store credentials, API keys, certificates, and other confidential data. We will learn how to create Secrets, both manually and by using Kubernetes manifests, and understand best practices for securing sensitive information. We will explore how Secrets can be used by applications, either as mounted files or as environment variables, ensuring secure access to essential resources.
Throughout this hands-on project, we will work on a practical use case that demonstrates the mastery of ConfigMaps and Secrets in a Kubernetes environment.
ConfigMaps and Secrets in Kubernetes are essential for managing configuration and sensitive data used by applications. Here's an overview of each, their importance, and an industry-level example:
ConfigMaps:
Definition: ConfigMaps are Kubernetes objects that store non-sensitive configuration data in key-value pairs. These can be used to configure applications, provide environment variables, or store configuration files.
Importance: ConfigMaps decouple configuration data from application code, making it easier to manage and update configurations without changing code. This is crucial in dynamic microservices environments where configurations may vary between services.
Industry-level Example:
Scenario: Imagine you work at a global e-commerce platform with multiple microservices. Each microservice requires different configurations, such as API endpoints, database URLs, and service-specific settings.
Usage: You create ConfigMaps for each microservice, specifying its unique configuration settings. When a microservice pod starts, it fetches its corresponding ConfigMap to obtain the required configuration. If a configuration change is needed, you update the ConfigMap without disrupting the running application. This flexibility simplifies configuration management in a complex, evolving platform.
Secrets:
Definition: Secrets are Kubernetes objects designed to store and manage sensitive information, such as API keys, database passwords, and TLS certificates. They are base64 encoded for protection.
Importance: Secrets provide a secure way to handle sensitive data by storing it separately from application code. This helps protect sensitive information from exposure and unauthorized access.
Industry-level Example:
Scenario: You're a DevOps engineer at a healthcare company that manages patient data. Security and compliance are paramount. You have a Kubernetes-based system with various microservices that require access to a patient database.
Usage: You create Secrets to store the database credentials securely. Microservices pods access these Secrets for authentication. The separation of Secrets from application code ensures that sensitive patient data remains protected and that access is limited to authorized services only. This is essential in healthcare, where patient data privacy is critical.
What are ConfigMaps and Secrets in k8s
ConfigMaps and Secrets are Kubernetes objects that are used to manage configuration data and sensitive information, respectively, in a Kubernetes cluster.
ConfigMaps:
ConfigMaps are used to store non-sensitive configuration data that can be consumed by applications running in a Kubernetes cluster.
They allow you to decouple configuration data from the application code, making it easier to manage and update configurations without modifying the application.
ConfigMaps can store key-value pairs or even entire configuration files.
Example: Suppose you have a microservices-based application running in a Kubernetes cluster. Each microservice requires specific configurations such as database connection strings, API endpoints, or feature flags. Instead of hard-coding these configurations in the application code, you can store them in ConfigMaps. This allows you to update the configurations independently without redeploying the application.
Secrets:
Secrets are used to store sensitive information such as passwords, API keys, TLS certificates, or any other confidential data that should not be exposed.
Secrets are stored in a base64-encoded format and are accessible to authorized applications and users within the cluster.
They provide a secure way to manage and distribute sensitive data to applications running in a Kubernetes cluster.
Example: Let's say you have a containerized application that requires access to a database. To securely provide the database credentials to the application, you can store them in a Secret. The application can then access the Secret to retrieve the database credentials at runtime. Secrets ensure that sensitive information remains encrypted and is only accessible to authorized entities within the Kubernetes cluster.
Using ConfigMaps and Secrets in Kubernetes allows you to separate configuration and sensitive data from your application code, promoting a more secure and flexible approach to managing configurations and secrets within the cluster.
To create the Secret, choose a password and convert it to base64 as shown in below example:
Task 1
Create a ConfigMap for your Deployment
Create a ConfigMap for your Deployment using a file or the command line
Create a namespace using this command:
kubectl create namespace django-todo-ns
Update the configMap.yml file
kind: ConfigMap
apiVersion: v1
metadata:
name: application-demo
namespace: django-todo-ns
data:
name: django-demo
application: django-todo
protocol: TCP
Update the deployment.yml file to include the ConfigMap
apiVersion: apps/v1
kind: Deployment
metadata:
name: django-todo-deployment
namespace: django-todo-ns
labels:
app: django-todo
spec:
replicas: 2
selector:
matchLabels:
app: django-todo
template:
metadata:
labels:
app: django-todo
spec:
containers:
- name: django-todo
image: nahid0002/django-todo-app:latest
ports:
- containerPort: 8000
env:
- name: application
valueFrom:
configMapKeyRef:
name: application-demo
key: application
Apply the updated deployment and configMap using the command
kubectl apply -f configMap.yml
kubectl apply -f deployment.yml
Verify that the ConfigMap has been created by checking the status of the ConfigMaps in your Namespace.
Use the describe command for a detailed view of the config map
kubectl get configmaps -n django-todo-ns
kubectl describe configmap application-demo -n django-todo-ns
Navigate inside the Pod and check the environment variable and the application for detailed status.
kubectl get pods -n django-todo-ns
Task 2
Create a Secret for your Deployment
Create a Secret for your Deployment using a file or the command line
Create a secret.yml file which includes the base64 encoded password.
apiVersion: v1
kind: Secret
metadata:
name: django-secret
namespace: django-todo-ns
type: Opaque
data:
password: RGV2b3BzRW50aHVzaWFzdAo=
To add the password in the above file you need to generate the base64 encoded password.
Apply the Secret to your Kubernetes cluster using the following command:
kubectl apply -f secret.yml -n django-todo-ns
Now, change the deployment.yml file to include the configuration of the secret in the deployment.
Now run the deployment file and check the status of the deployment and the secret.
kubectl apply -f deployment.yml -n django-todo-ns
Verify that the Secret has been created by checking the status of the Secrets in your Namespace.
kubectl get secret -n django-todo-ns
You can also use the following command to view the details of a specific Secret:
kubectl describe secret django-secret -n django-todo-ns
To see the key-value pairs of an environment variable in a ConfigMap inside a cluster or a pod.
You will have a solid understanding of ConfigMaps and Secrets in Kubernetes, along with hands-on experience in managing and using them effectively. You will be equipped with the knowledge to enhance the configurability and security of your applications running in Kubernetes clusters.
Thank you for reading this blog. If you found this blog helpful, please like, share, and follow me for more blog posts like this in the future.
— Happy Learning !!!