lectures.alex.balgavy.eu

Lecture notes from university.
git clone git://git.alex.balgavy.eu/lectures.alex.balgavy.eu.git
Log | Files | Refs | Submodules
commit f2f4276e9e383b250bd052d8cf17b1163bb9afb6
parent 866fbb2a1219fa621f50a49b6fce000b90bb0b01
Author: Alex Balgavy <alex@balgavy.eu>
Date:   Thu, 20 Jan 2022 18:15:31 +0100

Update software containerisation notes

Diffstat:

Mcontent/softcont-notes/_index.md | 3+++


Acontent/softcont-notes/configmaps-secrets.md | 80+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Acontent/softcont-notes/statefulset.md | 11+++++++++++


Acontent/softcont-notes/storage.md | 27+++++++++++++++++++++++++++


4 files changed, 121 insertions(+), 0 deletions(-)

diff --git a/content/softcont-notes/_index.md b/content/softcont-notes/_index.md
@@ -8,3 +8,6 @@ title = 'Software Containerisation'
 4. [Workload resources and controllers](workload-resources-and-controllers)
 5. [YAML syntax](yaml-syntax)
 6. [Networking](networking)
+7. [Storage](storage)
+8. [StatefulSet](statefulset)
+9. [ConfigMaps & Secrets](configmaps-secrets)
diff --git a/content/softcont-notes/configmaps-secrets.md b/content/softcont-notes/configmaps-secrets.md
@@ -0,0 +1,80 @@
++++
+title = 'ConfigMaps & Secrets'
++++
+# ConfigMaps & Secrets
+ConfigMap stores data that's not secret, Secret stores passwords/tokens/certs/etc.
+
+## ConfigMap
+Pods get data from ConfigMaps via:
+- environment variables declared in spec of container in pod
+- CLI arguments passed to container command inside pod
+- read-only config files in a volume readable by the pod
+- container code that calls Kubernetes API to get data from ConfigMap
+
+Example ConfigMap:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+name: db-config-map
+data:
+    host1: "domain.com"
+```
+
+Example usage:
+
+```yaml
+apiVersion: v1
+kind: Pod
+spec:
+    containers:
+        - name: some-container
+          # ...
+          env:
+              - name: THE_HOST
+                valueFrom:
+                    configMapKeyRef:
+                        name: db-config-map
+                        key: host1
+```
+
+## Secret
+Data in Secret object not encrypted, only encoded in base 64.
+
+Example:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+    name: mysecret
+type: Opaque
+data:
+    username: YWRtaW4=
+    password: aHVudGVyMg==
+```
+
+Using the secret from a pod:
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+    name: the-pod
+spec:
+    containers:
+        - name: acontainer
+          # ...
+          env:
+              - name: USERNAME
+                valueFrom:
+                    secretKeyRef:
+                        name: mysecret
+                        key: username
+```
+
+### TLS secrets
+To config apps with certificates to encrypt connections (like TLS), you have to keep cert private keys secure.
+You can use the builtin Secret type `kubernetes.io/tls` to store cert and its associated key in `tls.crt` and `tls.key` fields.
+You can create it from the CLI with `kubectl create secret tls my-tls-secret --cert=cert.pem --key=key.pem`.
diff --git a/content/softcont-notes/statefulset.md b/content/softcont-notes/statefulset.md
@@ -0,0 +1,11 @@
++++
+title = 'StatefulSet'
++++
+# StatefulSet
+Alternative to Deployment for stateful application.
+Manages set of pods created from same template, and desired number of replicas.
+
+Unlike Deployment, StatefulSet ensures unique and easy way of identifying each pod, and creation of pods in specific order.
+Contains also a PersistentVolumeClaim template.
+
+Requires Headless Service - a Service where ClusterIP is None (so not handled by kube-proxy).
diff --git a/content/softcont-notes/storage.md b/content/softcont-notes/storage.md
@@ -0,0 +1,27 @@
++++
+title = 'Storage'
++++
+# Storage
+## Volumes
+Pod hosts containers with a writable layer, which is lost if the container crashes.
+Volumes provide sharable storage that survives crashes, are attached to lifecycle of pod (not container).
+
+A volume is directory that's accessible to containers in a pod.
+
+Types of volumes:
+- emptyDir: created when pod assigned to node, exists as long as pod is running on the node. Initially empty. When a pod is removed from a node, data in it is deleted. Safe across crashes. Stored on the node storage.
+- hostPath: allows containers to access path in filesystem of node on which the pod runs, owned by root:root. With multiple nodes not very useful, because not clear on which node the hostPath storage will be used.
+- nfs: Network File System. Not provided by Kubernets, must install your own NFS server. Can be shared between pods and mounted by multiple writers simultaneously.
+
+## Persistent Volumes
+Decoupled from that of pods, i.e. created independently from pods.
+Persistent Volume Claims express storage requirements of an app, and Kubernetes binds Persistent Volume Claims to Persistent Volumes.
+
+PVs can be provisioned:
+- statically: created in advance by an admin, ready to be consumed by PVCs.
+- dynamically (based on StorageClasses): when none of static PVs matches the PVC, the cluster may try to dynamically provision a volume that matches (admin has to enable DefaultStorageClass admission controller on API server)
+
+Reclaiming: what happens to storage and data after you delete PVC:
+- retain: when PVC deleted, PV is not.
+- delete: when PVC deleted, PV and data is also deleted
+- recycle: deprecated.