Categories
Uncategorized

ASP.NET Core on K8S depth study (9) Secret & Configmap

Benpian has joined the “.NET Core on K8S study and practice series index”, you can click to see more container technology related series of articles.

A, Secret

About 1.1 Secret

In the application startup process takes some sensitive information, such as a database user name, password, stored in plain text directly in the container if the mirror is not safe, K8S solution provided is Secret.

ใ€€ใ€€

Secret ciphertext will store data, avoiding the sensitive information stored in the configuration file directly.

Volume Secret will form Pod is to mount, the container may be used in sensitive data by way of Secret document, use environment variables may be used.

1.2 Creating and viewing Secret

It is assumed that we want to create a Secret containing the following information:

(1) User name: Edison

(2) Password: EDC123456 *

There are four ways to create Secret:

(1) by –from-literal:

kubectl create secret generic mysecret --from-literal=username=Edison --from-literal=password=EDC123456*

PS: Each –from-literal information entry corresponding to a

(2) by –from-file:

echo -n Edison > ./username
echo -n EDC123456* > ./password
kubectl create secret generic mysecret --from-file=./username --from-file=./password

PS: the contents of each file corresponds to one information entry

(3) –from-env-file:

cat << EOF > env.txt
username=Edison
password=EDC123456*
EOF
kubectl create secret generic mysecret --from-env-file=env.txt

PS: File env.txt Key = Value per line corresponding to one information entry

(4) the recommended way to create ๐Ÿ™ by YAML configuration file)

Because of the configuration file by the sensitive data must be base64 encoded result, and therefore need to obtain base64 encoded values:

ใ€€ใ€€

Here is the YAML file contents:

apiVersion: v1
kind: Secret
metadata:
  name: edc-secret
data:
  username: RWRpc29u
  password: RURDMTIzNDU2Kg==

To create Secret by kubectl apply:

ใ€€ใ€€

Once created, verify, check out the Secret:

kubectl get secret edc-secret ใ€€ใ€€ใ€€ใ€€ // ๆŸฅ็œ‹ๅญ˜ๅœจ็š„secret
kubectl describe secret edc-secretใ€€ใ€€// ๆŸฅ็œ‹ๆก็›ฎ็š„Key
kubectl edit secret edc-secretใ€€ใ€€ใ€€ใ€€ // ๆŸฅ็œ‹ๆก็›ฎ็š„Value

ใ€€ใ€€

The anti-Value base64-encoded, as shown below, in line with expectations:

ใ€€ใ€€

1.3 Use Secret in the Pod

K8S in Pod Secret used in two ways, one is Volume mode, the second is the environment variable way.

(1) Volume mode

Here we demonstrate with an example of how to use Secret by Volume ways, first define a Pod:

apiVersion: v1
kind: Pod
metadata:
  name: secret-demo
spec:
  containers:
  - name: secret-demo-pod
    image: busybox
    args:
    - /bin/sh
    - -c
    - sleep 10; touch /tmp/healthy; sleep 30000
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
      readOnly: true
  volumes:
  - name: foo
    secret:
      secretName: edc-secret

Pod will be used in the secret (edc-secret) just defined, and then the foo mount volumeMounts defines the path of the vessel / etc / foo directory under, and specifies read and write permissions to read.

After created by kubectl apply, we try to read the secret to verify in a container, as shown below:

ใ€€ใ€€

We can see, K8S create a file for each sensitive data, and its Value is stored in clear text.

Of course, you can also customize the data storage directory, the configuration as shown:

apiVersion: v1
kind: Pod
metadata:
  name: secret-demo
spec:
  containers:
  - name: secret-demo-pod
    image: busybox
    args:
    - /bin/sh
    - -c
    - sleep 10; touch /tmp/healthy; sleep 30000
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
      readOnly: true
  volumes:
  - name: foo
    secret:
      secretName: edc-secret
      items:
      - key: username
        path: /edc-group/username
      - key: password
        path: /edc-group/password

In this case, the secret will be stored in / etc / foo / under edc-group / username and / etc / foo / edc-group / password of the two directories.

(2) dynamic update

Volume ways to use Secret, one advantage is that support dynamic updates. For example, we will update the look Secret, reapplied to K8S in:

apiVersion: v1
kind: Secret
metadata:
  name: edc-secret
data:
  username: RWRpc29u
  password: YWJjZGVmZyo=    //

To change abcdefg *

After passing through kubectl apply to reapply after waiting for some time, re-enter the container verification:

ใ€€ใ€€

It has been changed to abcdefg *, in line with expectations.

(2) environment variable way

Volume Secret by using look little trouble that data must be read through the file container. K8S provides another way, that is the environment variable manner.

Still below the example above, for example, modify the configuration file:

apiVersion: v1
kind: Pod
metadata:
  name: secret-demo
spec:
  containers:
  - name: secret-demo-pod
    image: busybox
    args:
    - /bin/sh
    - -c
    - sleep 10; touch /tmp/healthy; sleep 30000
    env:
      - name: EDC_SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: edc-secret
            key: username
      - name: EDC_SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: edc-secret
            key: password

After kubectl apply by the application, into the container to test:

ใ€€ใ€€

You can see, you can easily get to Value through environment variables.

PS: It should be noted also that while reading by the environment variable Secret more convenient, but can not support dynamic updates Secret!

Two, Configmap

2.1 Configmap About

Secret mentioned above can be provided to store confidential data for Pod, and for some non-confidential sensitive data, like some configuration information applications ah horse of God, you can use Configmap.

Configmap to create and use the Secret is very similar, except that only the data that is stored in clear text (However, I think the Secret cipher text is not encrypted and can only be regarded as a simple coding).

ใ€€ใ€€

2.2 Creating Configmap

And Secret as possible, by –from-literal – from-file and –from-env-file is created, where we skip directly to our way of saying the most commonly used yaml profile.

apiVersion: v1
kind: ConfigMap
metadata:
  name: service-configmap
data:
  LogLevel: Error
  LogFile: service-timestamp.log
  AllowedHosts: edc.com

2.3 Configmap

And Secret, like, can also be used by Volume Configmap or environment variables in two ways.

(1) Volume mode

apiVersion: v1
kind: Pod
metadata:
  name: configmap-demo
spec:
  containers:
  - name: configmap-demo-pod
    image: busybox
    args:
    - /bin/sh
    - -c
    - sleep 10; touch /tmp/healthy; sleep 30000
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
      readOnly: true
  volumes:
  - name: foo
    configMap:
      name: service-configmap

(2) environment variable way

apiVersion: v1
kind: Pod
metadata:
  name: secret-demo
spec:
  containers:
  - name: secret-demo-pod
    image: busybox
    args:
    - /bin/sh
    - -c
    - sleep 10; touch /tmp/healthy; sleep 30000
    env:
      - name: SERVICE_LOG_LEVEL
        valueFrom:
          configMapKeyRef:
            name: service-configmap
            key: LogLevel
      - name: SERVICE_LOG_FILE
        valueFrom:
          configMapKeyRef:
            name: service-configmap
            key: LogFile
      - name: SERVICE_ALLOWED_HOSTS
        valueFrom:
          configMapKeyRef:
            name: service-configmap
            key: AllowedHosts

2.4 Best Practices

In most cases, best practices we recommend are:

(1) Create ConfigMap arrangement is YAML => facilitate reuse and versioning

(2) Volume embodiment using read ConfigMap => configuration facilitates dynamic update

Let’s create a Configmap, its YAML reads as follows:

apiVersion: v1
kind: ConfigMap
metadata:
  name: service-configmap
data:
  appsettings.json: |
    LogHandler: NLogHandler
    LogLevel: Error
    LogFile: %hostname-%timestamp.log

Do not forget to pay attention to here: back | symbol, and then create & view Configmap:

ใ€€ใ€€

If you want to use this in Configmap Pod may be configured as follows in YAML:

apiVersion: v1
kind: Pod
metadata:
  name: configmap-demo
spec:
  containers:
  - name: configmap-demo-pod
    image: busybox
    args:
    - /bin/sh
    - -c
    - sleep 10; touch /tmp/healthy; sleep 30000
    volumeMounts:
    - name: configmap
      mountPath: "/etc/configmap"
  volumes:
  - name: configmap
    configMap:
      name: service-configmap
      items:
        - key: appsettings.json
          path: appsettings.json

Here the Volume mount to the / etc / configmap directory container, we verify the following:

ใ€€ใ€€

Then we will configmap update the look as follows:

apiVersion: v1
kind: ConfigMap
metadata:
  name: service-configmap
data:
  appsettings.json: |
    Logging:
      LogLevel:
        Default: "Error"
    AllowedHosts: "*"

By kubectl apply updates about configmap, and then to verify whether the pod dynamic update:

ใ€€ใ€€

As can be seen, it has been updated dynamically, in line with expectations!

2.5 ASP.NET Core appSettings

We configured in ASP.NET Core is all written in appSettings.json file, how to convert appSettings.json ConfigMap it? Byron has been summarized to “.NET Core K8S Configmap use correct posture” article, interested readers can refer to this article.

III Summary

This article explores how the K8S in configuration management, if needed ciphertext configuration, you can use the Secret, if the general application configuration, you can use ConfigMap. Although the Secret ConfigMap and define the definition of several ways, but we generally use to create and configure Volume YAML reads as Volume ways to support dynamic updates. Finally, through the sharing of Byron’s an article that describes how to use Configmap way in ASP.NET Core, we want to help you!

Reference material

(1) CloudMan, “5 minutes a day Fun Kubernetes”

(2) Lizhen Liang, “One day introductory tutorial Kubernets”

(3) Marco (Yongliang Ma, Qiang), “Kubernetes Quick Start”

(4) benjamin Yang, “K8S manage sensitive information by Secret”

(5) Ivan Day, “Secret K8S subject of”

ย 

Author: Zhou Xulong

Source: https: //edisonchou.cnblogs.com

This article belongs to the author and blog Park total, welcome to reprint, but without the author’s consent declared by this section must be retained, and given the original article page link in the apparent position.

Leave a Reply