Configuring ConfigMaps and Secrets
Introduction
This tutorial will guide you through the process of configuring ConfigMaps and Secrets in Kubernetes. ConfigMaps allow you to decouple configuration artifacts from image content to keep applications portable. Secrets are designed to store sensitive information, such as passwords, OAuth tokens, and SSH keys. Understanding how to create and manage these resources is critical for the Certified Kubernetes Administrator (CKA) exam. This tutorial assumes you have a running Kubernetes cluster and kubectl configured.
Task 1: Creating a ConfigMap
ConfigMaps can be created from literal values, files, or generated. Let’s start by creating a ConfigMap from literal values.
-
Create a ConfigMap named
game-configwith two key-value pairs:player_initial_lives=3andui_properties_file_name=user-interface.properties.NODE_TYPE // bashkubectl create configmap game-config --from-literal=player_initial_lives=3 --from-literal=ui_properties_file_name=user-interface.propertiesUse descriptive names for your ConfigMaps to make them easily identifiable. -
Verify the ConfigMap was created successfully.
NODE_TYPE // bashkubectl get configmap game-config -o yaml -
Expected output:
NODE_TYPE // outputapiVersion: v1 data: player_initial_lives: "3" ui_properties_file_name: user-interface.properties kind: ConfigMap metadata: creationTimestamp: "2024-07-26T10:00:00Z" name: game-config namespace: default resourceVersion: "123" uid: a1b2c3d4-e5f6-7890-1234-567890abcdef
Task 2: Using a ConfigMap in a Pod
Now, let’s consume the ConfigMap in a Pod. We’ll inject the ConfigMap values as environment variables.
-
Create a pod definition file named
pod-with-configmap.yaml:NODE_TYPE // yamlapiVersion: v1 kind: Pod metadata: name: game-pod spec: containers: - name: game-container image: busybox:latest command: ['sh', '-c', 'echo Player lives: $(PLAYER_INITIAL_LIVES) && echo UI file: $(UI_PROPERTIES_FILE_NAME) && sleep 3600'] envFrom: - configMapRef: name: game-config restartPolicy: NeverAlways define arestartPolicyfor your Pods.Neveris suitable for one-off tasks, whileAlwaysorOnFailureare more appropriate for long-running applications. -
Create the Pod:
NODE_TYPE // bashkubectl apply -f pod-with-configmap.yaml -
Check the Pod’s logs:
NODE_TYPE // bashkubectl logs game-pod -
Expected output:
NODE_TYPE // outputPlayer lives: 3 UI file: user-interface.properties
Task 3: Creating a Secret
Secrets are used to store sensitive information. Let’s create a Secret to store a database password.
-
Create a Secret named
db-secretwith a key nameddb_password.NODE_TYPE // bashkubectl create secret generic db-secret --from-literal=db_password=SuperSecretPasswordKubernetes Secrets are base64 encoded, not encrypted by default. Consider using encryption at rest for enhanced security. -
Verify the Secret was created successfully.
NODE_TYPE // bashkubectl get secret db-secret -o yaml -
Expected output (the actual value will be base64 encoded):
NODE_TYPE // outputapiVersion: v1 data: db_password: U3VwZXJTZWNyZXRQYXNzd29yZA== kind: Secret metadata: creationTimestamp: "2024-07-26T10:10:00Z" name: db-secret namespace: default resourceVersion: "456" uid: b2c3d4e5-f6a7-8901-2345-678901abcdef type: Opaque
Task 4: Using a Secret in a Pod
Now, let’s consume the Secret in a Pod. We’ll inject the secret value as an environment variable.
-
Create a pod definition file named
pod-with-secret.yaml:NODE_TYPE // yamlapiVersion: v1 kind: Pod metadata: name: db-pod spec: containers: - name: db-container image: busybox:latest command: ['sh', '-c', 'echo DB Password: $(DB_PASSWORD) && sleep 3600'] env: - name: DB_PASSWORD valueFrom: secretKeyRef: name: db-secret key: db_password restartPolicy: Never -
Create the Pod:
NODE_TYPE // bashkubectl apply -f pod-with-secret.yaml -
Check the Pod’s logs:
NODE_TYPE // bashkubectl logs db-pod -
Expected output:
NODE_TYPE // outputDB Password: SuperSecretPassword
Task 5: Updating a ConfigMap
ConfigMaps can be updated, and Pods can be configured to automatically receive these updates. Let’s update our game-config ConfigMap.
-
Update the
player_initial_livesvalue to5.NODE_TYPE // bashkubectl create configmap game-config --from-literal=player_initial_lives=5 --from-literal=ui_properties_file_name=user-interface.properties -o yaml --dry-run=client | kubectl apply -f -kubectl applyis generally the best practice for production environments, because it does server-side diffing, howeverkubectl edit configmap game-configis another valid alternative. -
Verify the ConfigMap was updated.
NODE_TYPE // bashkubectl get configmap game-config -o yaml -
Expected output:
NODE_TYPE // outputapiVersion: v1 data: player_initial_lives: "5" ui_properties_file_name: user-interface.properties kind: ConfigMap metadata: creationTimestamp: "2024-07-26T10:00:00Z" name: game-config namespace: default resourceVersion: "789" uid: a1b2c3d4-e5f6-7890-1234-567890abcdef -
Delete and recreate the
game-podpod to observe the changes (in a real-world scenario, you’d likely use a Deployment with rolling updates).NODE_TYPE // bashkubectl delete pod game-pod kubectl apply -f pod-with-configmap.yaml -
Check the Pod’s logs again:
NODE_TYPE // bashkubectl logs game-pod -
Expected output:
NODE_TYPE // outputPlayer lives: 5 UI file: user-interface.properties
Conclusion
In this tutorial, you learned how to create and use ConfigMaps and Secrets in Kubernetes. You created ConfigMaps from literal values, injected them into Pods as environment variables, created Secrets to store sensitive data, and updated a ConfigMap. This knowledge is crucial for managing application configuration and sensitive information securely in Kubernetes and is essential for the CKA exam.