🗒️ l-lin

Search

SearchSearch

✏️ 2024-07-12 🗓️️ Log

kubernetes configuration

Environment variables

---
apiVersion: apps/v1
kind: ReplicaSet
metadata:
  name: docker-registry
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: registry
    spec:
      containers:
        - name: registry
          image: registry:2
          env:
            - name: REGISTRY_HTTP_DEBUG_ADDR
              value: "localhost:9090"
            - name: REGISTRY_HEALTH_HTTP_TRESHOLD
              value: "5"
            - name: ENV_COLOR
              value: "blue"
            - name: COLORED_HOSTNAME
              value: "$(ENV_COLOR)_$(HOSTNAME)"
title: consideration when using environment variables
 
- must build the descriptor for each environment
- descriptors should be part of the code source (everything as a code)

ConfigMaps

k8s can split an application from its configuration using resource type ConfigMap.

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: ma-premiere-config-map
data:
  ma.property.1: hello
  ma.property.2: world
  mon-fichier-de-properties: | -
    property.1=value-1
    property.2=value-2
    property.3=value-3
# create ConfigMap from litteral values
kubectl create configmap special-config \
      --from-literal=special.how=very \
      --from-literal=special.type=charm
 
# create from folder
kubectl create configmap game-config --from-file=configs/
 
# display result
kubectl get configmaps game-config -o yaml
---
# use configmap as env variables
apiVersion: v1
kind: Pod
metadata:
  name: dapi-test-pod
spec:
  containers:
    - name: test-container
      image: debian: 10-slim
      command: [ "bash" , "-c" , "env" ]
      env:
        - name: SPECIAL_LEVEL_KEY
          valueFrom:
            configMapKeyRef:
              name: special-config
              key: special.how
---
# all keys from a ConfigMap
apiVersion: v1
kind: Pod
metadata:
  name: dapi-test-pod
spec:
  containers:
    - name: test-container
      image: debian:10-slim
      command: [ "bash" , "-c" , "env" ]
      envFrom:
        - configMapRef:
            name: special-config
---
# create a volume from a ConfigMap
apiVersion: v1
kind: Pod
metadata:
  name: dapi-test-pod
spec:
  volumes:
    - name: config-volume
      configMap:
        name: game-config
  containers:
    - name: test-container
      image: debian: 10-slim
      command: [ "bash" , "-c" , "ls /etc/config/" ]
      volumeMounts:
        - name: config-volume
          mountPath: /etc/config
title: consideration when using ConfigMaps
 
- you must create a `ConfigMap` __BEFORE__ referencing it to a [[kubernetes pod]]
  - if you reference a non-existent `ConfigMap` to a [[kubernetes pod]], the [[kubernetes pod]] will be created but the container will be in error
  - same for a non-existing key
- a `ConfigMap` is only usable on the [[kubernetes namespace]] it has been created on

Secrets

  • store sensitive information like password, OAuth tokens, certificates, SSH keys
  • Secrets are kind like customized ConfigMaps

Store secrets

You can either encode in base64 or let k8s do it for you:

$ echo -n "admin" | base64
YWRtaW4=
$ echo -n "1f2d1e2e67df" | base64
MWYyZDFlMmU2N2Rm
---
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm
---
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
stringData:
  username: admin
  password: 1f2d1e2e67df
$ # to view a secret
$ kubectl get secret mysecret -o yaml
---
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm

Using a Secret to create files

---
apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  volumes:
    - name: foo
      secret:
        secretName: mysecret
  containers:
    - name: mypod
      image: redis
      volumeMounts:
        - name: foo
          mountPath: "/etc/foo"
          readOnly: true

Using a Secret to set an environment variable

---
apiVersion: v1
kind: Pod
metadata:
  name: secret-env-pod
spec:
  containers:
    - name: mycontainer
      image: redis
      env:
        - name: SECRET_USERNAME
          valueFrom:
          secretKeyRef:
            name: mysecret
            key: username
        - name: SECRET_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysecret
              key: password

Using a Secret to fetch an image from a private registry

apiVersion: v1
kind: Secret
metadata:
  name: my-docker-creds-secret
  type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: eyJodHRwczovL2luZG54L ... J0QUl6RTIifX0=
apiVersion: v1
kind: Pod
metadata:
  name: pod-with-private-image
spec:
  containers:
    - name: mycontainer
      image: registry.internal.company.com/my-secret-image
  imagePullSecrets:
    - name: my-docker-creds-secret

Using a Secret to expose an Ingress in HTTPS

apiVersion: v1
kind: Secret
metadata:
  name: testsecret-tls
  type: kubernetes.io/tls
data:
  tls.crt: base64 encoded cert
  tls.key: base64 encoded key
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: tls-example-ingress
spec:
  tls:
    - hosts:
      - https-example.foo.com
      secretName: testsecret-tls
  rules:
    - host: https-example.foo.com
      ...

Graph View

Backlinks