passing application configuration using K8s configmaps

Question

How to pass in the application.properties to the Spring boot application using configmaps. Since the application.yml file contains sensitive information, this requires to pass in secrets and configmaps. In this case what options do we have to pass in both the sensitive and non-sensitive configuration data to the Spring boot pod. I am currently using Spring cloud config server and Spring cloud config server can encrypt the sensitive data using the encrypt.key and decrypt the key.

score 1 · Accepted Answer · edited Apr 22 '21 at 07:38

1

ConfigMaps as described by @paltaa would do the trick for non-sensitive information. For sensitive information I would use a sealedSecret.

Sealed Secrets is composed of two parts:

A cluster-side controller / operator
A client-side utility: kubeseal

The kubeseal utility uses asymmetric crypto to encrypt secrets that only the controller can decrypt.

These encrypted secrets are encoded in a SealedSecret resource, which you can see as a recipe for creating a secret.

Once installed you create your secret as normal and you can then:

kubeseal --format=yaml < secret.yaml > sealed-secret.yaml

You can safely push your sealedSecret to github etc.

This normal kubernetes secret will appear in the cluster after a few seconds and you can use it as you would use any secret that you would have created directly (e.g. reference it from a Pod).

edited Apr 22 '21 at 07:38

Dharman

30,962
25
85
135

answered Apr 22 '21 at 07:33

Alan

491
4
13

But the secrets are still stored inside the cluster in base64 encoded strings. Is it possible to store the encrypted values inside the etcd? – zilcuanu Apr 22 '21 at 15:44
1

If you are concerned about who can read them then you should enable RBAC rules that restrict reading and writing the Secret. As to storing encrypted values inside the etcd, speaking to a colleague far wiser in Kubernetes than I, apparently it is possible but I'm not sure how. – Alan Apr 23 '21 at 15:12

score 0 · Answer 2 · answered Apr 21 '21 at 21:48

You can mount Secret as volumes, the same as ConfigMaps. For example:

Create the secret.

kubectl create secret generic ssh-key-secret --from-file=application.properties

Then mount it as volume:

apiVersion: v1
kind: Pod
metadata:
  name: secret-test-pod
  labels:
    name: secret-test
spec:
  volumes:
  - name: secret-volume
    secret:
      secretName: ssh-key-secret
  containers:
  - name: ssh-test-container
    image: mySshImage
    volumeMounts:
    - name: secret-volume
      readOnly: true
  mountPath: "/etc/secret-volume"

More information in https://kubernetes.io/docs/concepts/configuration/secret/

But the Kubernetes secret resource is a mere base64 encoding. There is not encryption right. — zilcuanu, Apr 22 '21 at 05:26

passing application configuration using K8s configmaps

2 Answers2