Scribd
Upload
186 views

Lab13 - Secrets and ConfigMaps

This document discusses Kubernetes Secrets and ConfigMaps. It provides instructions on how to create a Secret containing a MySQL password, decode the Secret, create a ConfigMap containing a MySQL configuration file, and deploy a MariaDB pod that uses the Secret and ConfigMap. The key steps are: 1. Create a Secret containing a base64 encoded MySQL password 2. Create a ConfigMap containing a MySQL configuration file 3. Deploy a MariaDB pod that references the Secret and ConfigMap 4. Verify the pod is using the Secret for environment variables and ConfigMap for a mounted configuration file

Uploaded by

Soujanyana Sanagavarapu
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
186 views

Lab13 - Secrets and ConfigMaps

This document discusses Kubernetes Secrets and ConfigMaps. It provides instructions on how to create a Secret containing a MySQL password, decode the Secret, create a ConfigMap containing a MySQL configuration file, and deploy a MariaDB pod that uses the Secret and ConfigMap. The key steps are: 1. Create a Secret containing a base64 encoded MySQL password 2. Create a ConfigMap containing a MySQL configuration file 3. Deploy a MariaDB pod that references the Secret and ConfigMap 4. Verify the pod is using the Secret for environment variables and ConfigMap for a mounted configuration file

Uploaded by

Soujanyana Sanagavarapu
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Lab: Secrets and ConfigMap

Introduction
Kubernetes Secrets let you store and manage sensitive information, such as passwords, OAuth
tokens, and ssh keys. Storing confidential information in a Secret is safer and more flexible than
putting it verbatim in a Pod definition or in a container image.

A ConfigMap is an API object used to store non-confidential data in key-value pairs. Pods can
consume ConfigMaps as environment variables, command-line arguments, or as configuration
files in a volume. A ConfigMap allows you to decouple environment-specific configuration from
your container images, so that your applications are easily portable.

In this Lab, you will learn below items:

Objective:

• Create Secret
• Decode Secret
• Create Configmap
• Deploy mariadb app
• Cleanup

Note: Ensure you have running cluster deployed


1. Ensure that you have logged-in as root user with password as linux on kube-master node.

1.1 Let us clone the git repository which contains manifests required for this exercise, by
executing the below command.
# git clone https://github.com/EyesOnCloud/k8s-secret.git

Output:

Student Material – Do Not Re-distribute. For any queries contact:


[email protected] or https://www.linkedin.com/in/naushadpasha/
1.2 Let us view the manifest file

# cat -n ~/k8s-secret/mysql-secret.yaml
Output:

1.3 Let us create Secret using the manifest file mysql-secret.yaml, by using the below
command.

# kubectl apply -f ~/k8s-secret/mysql-secret.yaml


Output:

Note: The manifest contains the base64 encoded password for MYSQL_ROOT_PASSWORD.
(echo -n 'KubernetesRocks!' | base64)

1.4 Verify the newly created secret:

# kubectl describe secret mariadb-root-password


Output:

Student Material – Do Not Re-distribute. For any queries contact:


[email protected] or https://www.linkedin.com/in/naushadpasha/
Note: Data field contains the key you set in the YAML: password. The value assigned to that key
is the password you created, but it is not shown in the output. Instead, the value's size is shown
in its place, in this case, 16 bytes.
1.5 Secret can be edited, by executing the below command.

# kubectl edit secret mariadb-root-password


Output:

2. Decode the Secret:


2.1 Let us extract the value of the secret, by executing the below command.

# kubectl get secret mariadb-root-password -o jsonpat


h='{.data.password}'
Output:

2.2 Let us decode the secret by passing the value to base64, by executing the below command.

# kubectl get secret mariadb-root-password -o jsonpat


h='{.data.password}' | base64 --decode -
Output:

Student Material – Do Not Re-distribute. For any queries contact:


[email protected] or https://www.linkedin.com/in/naushadpasha/
3. Another way to create Secrets:

You can also create Secrets directly using the kubectl create secret command. The MariaDB
image permits setting up a regular database user with a password by setting the MYSQL_USER
and MYSQL_PASSWORD environment variables. A Secret can hold more than one key/value
pair, so you can create a single Secret to hold both strings.

# kubectl create secret generic mariadb-user-creds --from-lite


ral=MYSQL_USER=kubeuser --from-literal=MYSQL_PASSWORD=kube-sti
ll-rocks

Output:

Note: the --from-literal, which sets the key name and the value all in one. You can pass as many
--from-literal arguments as you need to create one or more key/value pairs in the Secret.
3.1 Let us verify the username were created and stored correctly:

# kubectl get secret mariadb-user-creds -o jsonpath='


{.data.MYSQL_USER}' | base64 --decode -
Output:

3.2 Let us verify the password were created and stored correctly:

# kubectl get secret mariadb-user-creds -o jsonpath='


{.data.MYSQL_PASSWORD}' | base64 --decode -
Output:

Student Material – Do Not Re-distribute. For any queries contact:


[email protected] or https://www.linkedin.com/in/naushadpasha/
4. ConfigMaps:

Let us First create a file named max_allowed_packet.cnf with the following content:

# cat > max_allowed_packet.cnf << EOF


[mysqld]
max_allowed_packet = 64M
EOF
This will override the default setting in the my.cnf file and set max_allowed_packet to 64M.

4.1 Let us create a ConfigMap named mariadb-config, by executing the below command.

# kubectl create configmap mariadb-config --from-file


=max_allowed_packet.cnf
Output:

4.3 Let us validate the ConfigMap, by executing the below command.

# kubectl get configmap mariadb-config


Output:

4.4 Let us describe the configmap, by executing the below command.

# kubectl describe cm mariadb-config


Output:

Student Material – Do Not Re-distribute. For any queries contact:


[email protected] or https://www.linkedin.com/in/naushadpasha/
4.5 Let us edit and change the max_allowed_packet to 32M using the edit command.

# kubectl edit configmap mariadb-config


Output:

Student Material – Do Not Re-distribute. For any queries contact:


[email protected] or https://www.linkedin.com/in/naushadpasha/
5. Using Secrets and ConfigMaps:
Secrets and ConfigMaps can be mounted as environment variables or as files within a
container. For the MariaDB container, you will need to mount the Secrets as environment
variables and the ConfigMap as a file. First, though, you need to write a Deployment for
MariaDB so that you have something to work with.
5.1 Create a MariaDB instance from the Deployment:

Let us view the mariadb-deployment.yaml file, by executing the below command.

# cat -n ~/k8s-secret/mariadb-deployment.yaml
Output:

Student Material – Do Not Re-distribute. For any queries contact:


[email protected] or https://www.linkedin.com/in/naushadpasha/
5.2 Let us deploy the MariaDB instance, by executing the below command.

# kubectl apply -f ~/k8s-secret/mariadb-deployment.yaml


Output:

Student Material – Do Not Re-distribute. For any queries contact:


[email protected] or https://www.linkedin.com/in/naushadpasha/
5.3 Let us verify the pod, by executing below command.

# kubectl get pods


Output:

6. Verify the instance is using the Secrets and ConfigMap

Use the kubectl exec command (with your Pod name) to validate that the Secrets and
ConfigMaps are in use.
7.1 check that the environment variables are exposed in the container:

# kubectl exec mariadb-deployment-5465c6655c-7jfqm --


env |grep MYSQL

Output:

7.2 Let us verify that the max_allowed_packet.cnf file was created in /etc/mysql/conf.d and
that it contains the expected content:

# kubectl exec -it mariadb-deployment-5465c6655c-7jfq


m -- ls /etc/mysql/conf.d

Output:

# kubectl exec mariadb-deployment-587c7947bf-gpdqw -


- cat /etc/mysql/conf.d/max_allowed_packet.cnf

Output:

Student Material – Do Not Re-distribute. For any queries contact:


[email protected] or https://www.linkedin.com/in/naushadpasha/
7.3 Verify that MariaDB used the environment variable to set the root user password and read
the max_allowed_packet.cnf file to set the max_allowed_packet configuration variable.

# kubectl exec -it mariadb-deployment-5465c6655c-7jfq


m -- /bin/bash

Output:

7.4 Check that the root password was set correctly

# mysql -uroot -p${MYSQL_ROOT_PASSWORD} -e 'show data


bases;'

Output:

7.5 Check that the max_allowed_packet.cnf was parsed

# mysql -uroot -p${MYSQL_ROOT_PASSWORD} -e "SHOW VARI


ABLES LIKE 'max_allowed_packet';"

Output:

# exit

7.6 Let us cleanup the MariaDB instance:

# kubectl delete -f ~/k8s-secret/mariadb-deployment.yaml


Output:

Student Material – Do Not Re-distribute. For any queries contact:


[email protected] or https://www.linkedin.com/in/naushadpasha/

You might also like