Managing Application Configurations and Secrets
Many applications require configuration settings and secrets such as TLS certificates to run in a production environment. In this chapter you will learn how to:
Create secrets to store sensitive application data
Create configmaps to store application configuration data
Expose secrets and configmaps to Pods at runtime
In this chapter we will create a new Pod named
secure-monolith based on the
healthy-monolith Pod. The
secure-monolith Pod secures access to the
monolith container using Nginx, which will serve as a reverse proxy serving HTTPS.
The nginx container will be deployed in the same pod as the monolith container because they are tightly coupled.
Before we can use the
nginx container to serve HTTPS traffic we need some TLS certificates. In this tutorial you will store a set of self-signed TLS certificates in Kubernetes as secrets.
tls-certs secret from the TLS certificates stored under the tls directory:
kubectl create secret generic tls-certs --from-file=manifests/app/tls/
kubectl describe secrets tls-certs
Note: You can also explore Secrets and ConfigMaps in GKE console, from the Configuration menu.
The nginx container also needs a configuration file to setup the secure reverse proxy. In this tutorial you will create a configmap from the
proxy.conf nginx configuration file.
nginx-proxy-conf configmap based on the
proxy.conf nginx configuration file:
kubectl create configmap nginx-proxy-conf --from-file=manifests/app/nginx/proxy.conf
kubectl describe configmaps nginx-proxy-conf
In this tutorial you will expose the
nginx-proxy-conf configmap and the
tls-certs secrets to the
secure-monolith pod at runtime:
secure-monolith pod configuration file
* ConfigMap and Secret attached as volumes at the pod levels
* Mount of these volumes in the
How are secrets exposed to the
How are configmaps exposed to the
secure-monolith Pod using kubectl:
kubectl apply -f manifests/app/pods/secure-monolith.yaml
Forward local port 10443 to 443 of the
kubectl port-forward secure-monolith 10443:443
curl command to test the HTTPS endpoint:
curl --cacert manifests/app/tls/ca.pem https://127.0.0.1:10443
kubectl logs command to verify traffic to the
kubectl logs -c nginx secure-monolith
Secrets and Configmaps allow you to store application secrets and configuration data, then expose them to Pods at runtime. In this chapter you learned how to expose Secrets and Configmaps to Pods using volume mounts. You also learned how to run multiple containers in a single Pod.