Day-41-devops
Understanding ConfigMaps and Secrets in Kubernetes: A Comprehensive Guide
Experienced DevOps Engineer with expertise in CI/CD automation, cloud infrastructure, Kubernetes, and GitOps. Provisioned a Jenkins server on AWS EC2 for automated deployments, integrating Terraform to provision VPCs and EKS clusters. Configured a Jump Server for secure Kubernetes access and implemented ArgoCD for GitOps-driven deployments. Integrated SonarQube for static code analysis and enforced quality gates in Jenkins pipelines. Built AWS ECR repositories and automated Docker image management. Ensured security by managing secrets in Jenkins Credentials Manager and implementing IAM policies for AWS resources. Configured Kubernetes Ingress via ArgoCD and deployed MongoDB with persistence strategies. Designed multi-branch Jenkins pipelines for different environments. Installed Prometheus and Grafana for monitoring with automated alerts. Optimized costs using AWS CloudWatch and Lambda for unused resource cleanup. Ensured end-to-end automation, security, and observability.
TLDR: This blog post explores ConfigMaps and Secrets in Kubernetes, detailing their purposes, differences, and practical applications through a live demo. It explains how to create and use these resources to manage application configurations and sensitive data securely.
In this blog post, we will delve into two essential components of Kubernetes: ConfigMaps and Secrets. These resources play a crucial role in managing application configurations and sensitive data within Kubernetes clusters. We will explore their definitions, differences, and practical applications through a live demonstration.
| configmap | secret | |
| sensitive data | no | yes |
| eg | DB port | DB username and password |
| stored in | etcd | rest → encrypted data →stored to etcd |
| RBAC | no | yes →so only certain user will have access to etcd → eg: devops engineer |
What is a ConfigMap?
A ConfigMap in Kubernetes is a resource that allows you to store non-sensitive configuration data in key-value pairs. This data can be used by applications running in your Kubernetes pods. For instance, consider a backend application that interacts with a database. It requires various configuration details such as the database port, username, and connection type. Instead of hardcoding these values into the application, which can lead to issues if they change, you can store them in a ConfigMap.
Purpose of ConfigMaps
The primary purpose of a ConfigMap is to decouple configuration data from application code. This approach enhances flexibility and maintainability, allowing developers to change configurations without modifying the application itself. ConfigMaps can be referenced in pods as environment variables or mounted as files.
What is a Secret?
Secrets in Kubernetes serve a similar purpose to ConfigMaps but are specifically designed to handle sensitive information, such as passwords, OAuth tokens, and SSH keys. Storing sensitive data in plain text can pose security risks, especially if unauthorized users gain access to the Kubernetes API or etcd, the underlying data store for Kubernetes.
Purpose of Secrets
Secrets are encrypted at rest, meaning that even if someone accesses etcd, they will only see encrypted data. Kubernetes provides a mechanism to create and manage Secrets securely, ensuring that sensitive information is not exposed in plain text.
Key Differences Between ConfigMaps and Secrets
Data Sensitivity: ConfigMaps are used for non-sensitive data, while Secrets are intended for sensitive information.
Storage Mechanism: Data in ConfigMaps is stored in plain text, whereas Secrets are encrypted before being stored in etcd.
Access Control: Kubernetes allows you to enforce stricter access controls on Secrets, ensuring that only authorized users can access sensitive data.
Live Demo: Creating and Using ConfigMaps and Secrets
In this section, we will walk through a live demonstration of creating and using ConfigMaps and Secrets in a Kubernetes environment.
Step 1: Creating a ConfigMap
To create a ConfigMap, you will need to define it in a YAML file. Here’s an example:
apiVersion: v1
kind: ConfigMap
metadata:
name: test-cm
data:
DB_PORT: "3306"
You can create the ConfigMap using the following command:
kubectl apply -f cm.yaml
Step 2: Using the ConfigMap in a Pod
To use the ConfigMap in a pod, you can reference it as an environment variable in your deployment YAML file:
apiVersion: apps/v1
dkind: Deployment
metadata:
name: my-app
spec:
replicas: 2
template:
spec:
containers:
- name: my-container
image: my-image
env:
- name: DB_PORT
valueFrom:
configMapKeyRef:
name: test-cm
key: DB_PORT
Step 3: Creating a Secret
To create a Secret, you can use a similar YAML structure:
apiVersion: v1
kind: Secret
metadata:
name: test-secret
type: Opaque
data:
DB_PASSWORD: <base64_encoded_password>
You can create the Secret using:
kubectl apply -f secret.yaml
Step 4: Using the Secret in a Pod
To use the Secret in a pod, reference it similarly to how you referenced the ConfigMap:
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: test-secret
key: DB_PASSWORD
env
volumeMounts → if value keep changing
secret
Conclusion
In this blog post, we explored the concepts of ConfigMaps and Secrets in Kubernetes, highlighting their purposes, differences, and practical applications. By using ConfigMaps for non-sensitive data and Secrets for sensitive information, you can enhance the security and maintainability of your applications running in Kubernetes.
For further learning, consider experimenting with creating and managing ConfigMaps and Secrets in your own Kubernetes environment. This hands-on experience will solidify your understanding of these critical components in Kubernetes management.