Managing Application Configurations and Secrets
Many applications require configuration settings and secrets such as TLS certificates to run in a production environment. In this chapter you will learn how to:
-
Create secrets to store sensitive application data
-
Create configmaps to store application configuration data
-
Expose secrets and configmaps to Pods at runtime
In this chapter we will create a new Pod named secure-monolith
based on the healthy-monolith
Pod. The secure-monolith
Pod secures access to the monolith
container using Nginx, which will serve as a reverse proxy serving HTTPS.
The nginx container will be deployed in the same pod as the monolith container because they are tightly coupled.
Tutorial: Creating Secrets
Before we can use the nginx
container to serve HTTPS traffic we need some TLS certificates. In this tutorial you will store a set of self-signed TLS certificates in Kubernetes as secrets.
Create the tls-certs
secret from the TLS certificates stored under the tls directory:
kubectl create secret generic tls-certs --from-file=manifests/app/tls/
Examine the tls-certs
secret:
kubectl describe secrets tls-certs
Note: You can also explore Secrets and ConfigMaps in GKE console, from the Configuration menu.
Tutorial: Creating Configmaps
The nginx container also needs a configuration file to setup the secure reverse proxy. In this tutorial you will create a configmap from the proxy.conf
nginx configuration file.
Create the nginx-proxy-conf
configmap based on the proxy.conf
nginx configuration file:
kubectl create configmap nginx-proxy-conf --from-file=manifests/app/nginx/proxy.conf
Examine the nginx-proxy-conf
configmap:
kubectl describe configmaps nginx-proxy-conf
Tutorial: Use Configmaps and Secrets
In this tutorial you will expose the nginx-proxy-conf
configmap and the tls-certs
secrets to the secure-monolith
pod at runtime:
Examine the secure-monolith
pod configuration file manifests/app/pods/secure-monolith.yaml
Notice:
* ConfigMap and Secret attached as volumes at the pod levels
* Mount of these volumes in the nginx
container
Quiz
-
How are secrets exposed to the
secure-monolith
Pod? -
How are configmaps exposed to the
secure-monolith
Pod?
Create the secure-monolith
Pod using kubectl:
kubectl apply -f manifests/app/pods/secure-monolith.yaml
Test the HTTPS endpoint
Forward local port 10443 to 443 of the secure-monolith
Pod:
kubectl port-forward secure-monolith 10443:443
Use the curl
command to test the HTTPS endpoint:
curl --cacert manifests/app/tls/ca.pem https://127.0.0.1:10443
Use the kubectl logs
command to verify traffic to the secure-monolith
Pod:
kubectl logs -c nginx secure-monolith