Exercise 5: ConfigMaps and Secrets

In this exercise, you will learn how to use ConfigMaps and Secrets to manage application configuration and sensitive data in Kubernetes.

Task 1 - Create a ConfigMap and a Secret

Create a ConfigMap for application configuration:

$configMapYaml = @"
apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  APP_COLOR: blue
"@

# Apply the ConfigMap
$configMapYaml | kubectl apply -f -

cat << EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  APP_COLOR: blue
EOF

Create a Secret with a fake API key:

$secretYaml = @"
apiVersion: v1
kind: Secret
metadata:
  name: app-secret
type: Opaque
data:
  API_KEY: ZmFrZV9hcGlfa2V5 # base64 for 'fake_api_key'
"@

# Apply the Secret
$secretYaml | kubectl apply -f -

cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: app-secret
type: Opaque
data:
  API_KEY: ZmFrZV9hcGlfa2V5 # base64 for 'fake_api_key'
EOF

Verify they were created:

kubectl get configmap
kubectl get secret

kubectl get configmap
kubectl get secret

View the contents of the ConfigMap

kubectl describe configmap app-config

kubectl describe configmap app-config

View the contents of the Secret
kubectl get secret app-secret -o yaml
kubectl get secret app-secret -o yaml
Note
The Secret will show the data in base64 encoded format. You can decode it using echo <base64-encoded-string> | base64 --decode in a Unix-like shell or use an online decoder. This base64 encoding is not encryption and it is a simple task to to decode it. This means you must ensure that permissions are set correctly on the Secret to prevent unauthorized access, or move sensitive data to a more secure storage solution like Azure Key Vault, which we will cover in a later lab.

Task 2 - Deploy an Application Using ConfigMap and Secret

Create a deployment that uses environment variables from the ConfigMap and Secret:

$appDeploymentYaml = @"
apiVersion: apps/v1
kind: Deployment
metadata:
  name: app-demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo
  template:
    metadata:
      labels:
        app: demo
    spec:
      containers:
      - name: demo-app
        image: k8sonazureworkshoppublic.azurecr.io/k8slab/nginx:2.0
        env:
        - name: APP_COLOR
          valueFrom:
            configMapKeyRef:
              name: app-config
              key: APP_COLOR
        - name: API_KEY
          valueFrom:
            secretKeyRef:
              name: app-secret
              key: API_KEY
        ports:
        - containerPort: 80
"@

# Deploy the application
$appDeploymentYaml | kubectl apply -f -

cat << EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  name: app-demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo
  template:
    metadata:
      labels:
        app: demo
    spec:
      containers:
      - name: demo-app
        image: k8sonazureworkshoppublic.azurecr.io/k8slab/nginx:2.0
        env:
        - name: APP_COLOR
          valueFrom:
            configMapKeyRef:
              name: app-config
              key: APP_COLOR
        - name: API_KEY
          valueFrom:
            secretKeyRef:
              name: app-secret
              key: API_KEY
        ports:
        - containerPort: 80
EOF

Check the running pods
kubectl get pods
kubectl get pods

Task 3 - Verify Configuration in the Running Pod

Open a shell into the pod:

kubectl exec -it <pod-name> -- /bin/sh

kubectl exec -it <pod-name> -- /bin/sh

Inside the pod, check the APP_COLOR environment variables:
```
echo $APP_COLOR
```
Check the API key from the Secret, note that the value in the environment variable is not base64 encoded:
```
echo $API_KEY
```
Exit the pod shell:
```
exit
```

Task 4 - Clean Up

Delete all resources created in this exercise:

kubectl delete deployment app-demo
kubectl delete configmap app-config
kubectl delete secret app-secret