Kubernetes - Secrets ¶
Step-01: Introduction ¶
- Kubernetes Secrets let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys.
- Storing confidential information in a Secret is safer and more flexible than putting it directly in a Pod definition or in a container image.
Kubernetes Manifests ¶
#01-storage-class.yml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: ebs-sc
provisioner: ebs.csi.aws.com
volumeBindingMode: WaitForFirstConsumer
#02-persistent-volume-claim.yml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ebs-mysql-pv-claim
spec:
accessModes:
- ReadWriteOnce
storageClassName: ebs-sc
resources:
requests:
storage: 4Gi
#03-UserManagement-ConfigMap.yml
apiVersion: v1
kind: ConfigMap
metadata:
name: usermanagement-dbcreation-script
data:
mysql_usermgmt.sql: |-
DROP DATABASE IF EXISTS usermgmt;
CREATE DATABASE usermgmt;
#04-mysql-deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: mysql
spec:
replicas: 1
selector:
matchLabels:
app: mysql
strategy:
type: Recreate
template:
metadata:
labels:
app: mysql
spec:
containers:
- name: mysql
image: mysql:5.6
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-db-password
key: db-password
ports:
- containerPort: 3306
name: mysql
volumeMounts:
- name: mysql-persistent-storage
mountPath: /var/lib/mysql
- name: usermanagement-dbcreation-script
mountPath: /docker-entrypoint-initdb.d #https://hub.docker.com/_/mysql Refer Initializing a fresh instance
volumes:
- name: mysql-persistent-storage
persistentVolumeClaim:
claimName: ebs-mysql-pv-claim
- name: usermanagement-dbcreation-script
configMap:
name: usermanagement-dbcreation-script
#05-mysql-clusterip-service.yml
apiVersion: v1
kind: Service
metadata:
name: mysql
spec:
selector:
app: mysql
ports:
- port: 3306
clusterIP: None # This means we are going to use Pod IP
#06-UserManagementMicroservice-Deployment-Service.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: usermgmt-microservice
labels:
app: usermgmt-restapp
spec:
replicas: 1
selector:
matchLabels:
app: usermgmt-restapp
template:
metadata:
labels:
app: usermgmt-restapp
spec:
containers:
- name: usermgmt-restapp
image: stacksimplify/kube-usermanagement-microservice:1.0.0
ports:
- containerPort: 8095
env:
- name: DB_HOSTNAME
value: "mysql"
- name: DB_PORT
value: "3306"
- name: DB_NAME
value: "usermgmt"
- name: DB_USERNAME
value: "root"
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-db-password
key: db-password
#07-UserManagement-Service.yml
apiVersion: v1
kind: Service
metadata:
name: usermgmt-restapp-service
labels:
app: usermgmt-restapp
spec:
type: NodePort
selector:
app: usermgmt-restapp
ports:
- port: 8095
targetPort: 8095
nodePort: 31231
#08-kubernetes-secrets.yml
apiVersion: v1
kind: Secret
metadata:
name: mysql-db-password
type: Opaque
data:
db-password: ZGJwYXNzd29yZDEx
Step-02: Create Secret for MySQL DB Password ¶
¶
# Mac
echo -n 'dbpassword11' | base64
# URL: https://www.base64encode.org
Create Kubernetes Secrets manifest ¶
apiVersion: v1
kind: Secret
metadata:
name: mysql-db-password
#type: Opaque means that from kubernetes's point of view the contents of this Secret is unstructured.
#It can contain arbitrary key-value pairs.
type: Opaque
data:
# Output of echo -n 'dbpassword11' | base64
db-password: ZGJwYXNzd29yZDEx
Step-03: Update secret in MySQL Deployment for DB Password ¶
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-db-password
key: db-password
AWS EKS - Elastic Kubernetes Service - Masterclass ¶
Step-04: Update secret in UMS Deployment ¶
- UMS means User Management Microservice
- name: DB_PASSWORD valueFrom: secretKeyRef: name: mysql-db-password key: db-password
Step-05: Create & Test ¶
# Create All Objects
kubectl apply -f kube-manifests/
# List Pods
kubectl get pods
# Access Application Health Status Page
http://<WorkerNode-Public-IP>:31231/usermgmt/health-status
Step-06: Clean-Up ¶
- Delete all k8s objects created as part of this section
# Delete All kubectl delete -f kube-manifests/ # List Pods kubectl get pods # Verify sc, pvc, pv kubectl get sc,pvc,pv