configmaps-secrets.md (1805B)
1 +++ 2 title = 'ConfigMaps & Secrets' 3 +++ 4 # ConfigMaps & Secrets 5 ConfigMap stores data that's not secret, Secret stores passwords/tokens/certs/etc. 6 7 ## ConfigMap 8 Pods get data from ConfigMaps via: 9 - environment variables declared in spec of container in pod 10 - CLI arguments passed to container command inside pod 11 - read-only config files in a volume readable by the pod 12 - container code that calls Kubernetes API to get data from ConfigMap 13 14 Example ConfigMap: 15 16 ```yaml 17 apiVersion: v1 18 kind: ConfigMap 19 metadata: 20 name: db-config-map 21 data: 22 host1: "domain.com" 23 ``` 24 25 Example usage: 26 27 ```yaml 28 apiVersion: v1 29 kind: Pod 30 spec: 31 containers: 32 - name: some-container 33 # ... 34 env: 35 - name: THE_HOST 36 valueFrom: 37 configMapKeyRef: 38 name: db-config-map 39 key: host1 40 ``` 41 42 ## Secret 43 Data in Secret object not encrypted, only encoded in base 64. 44 45 Example: 46 47 ```yaml 48 apiVersion: v1 49 kind: Secret 50 metadata: 51 name: mysecret 52 type: Opaque 53 data: 54 username: YWRtaW4= 55 password: aHVudGVyMg== 56 ``` 57 58 Using the secret from a pod: 59 60 ```yaml 61 apiVersion: v1 62 kind: Pod 63 metadata: 64 name: the-pod 65 spec: 66 containers: 67 - name: acontainer 68 # ... 69 env: 70 - name: USERNAME 71 valueFrom: 72 secretKeyRef: 73 name: mysecret 74 key: username 75 ``` 76 77 ### TLS secrets 78 To config apps with certificates to encrypt connections (like TLS), you have to keep cert private keys secure. 79 You can use the builtin Secret type `kubernetes.io/tls` to store cert and its associated key in `tls.crt` and `tls.key` fields. 80 You can create it from the CLI with `kubectl create secret tls my-tls-secret --cert=cert.pem --key=key.pem`.