Many applications require configuration settings and secrets such as TLS certificates to run in a production environment. In this lab you will learn how to:
- Create secrets to store sensitive application data
- Create configmaps to store application configuration data
- Expose secrets and configmaps to Pods at runtime
In this lab we will create a new Pod named secure-monolith based on the healthy-monolith Pod. The secure-monolith Pod secures access to the monolith container using Nginx, which will serve as a reverse proxy serving HTTPS.
The nginx container will be deployed in the same pod as the monolith container because they are tightly coupled.
Before we can use the nginx container to serve HTTPS traffic we need some TLS certificates. In this tutorial you will store a set of self-signed TLS certificates in Kubernetes as secrets.
Create the tls-certs secret from the TLS certificates stored under the tls/ directory:
ls tls/
kubectl create secret generic tls-certs --from-file=tls/
Examine the tls-certs secret:
kubectl describe secrets tls-certs
- How many items are stored under the
tls-certssecret? - What are key the names?
The nginx container also needs a configuration file to setup the secure reverse proxy. In this tutorial you will create a configmap from the proxy.conf nginx configuration file.
Look at the contents of the nginx/proxy.conf nginx configuration file and then create the nginx-proxy-conf configmap based on it:
cat nginx/proxy.conf
kubectl create configmap nginx-proxy-conf --from-file=nginx/proxy.confExamine the nginx-proxy-conf configmap:
kubectl describe configmaps nginx-proxy-conf
- How many items are stored under the
nginx-proxy-confconfigmap? - What are the key names?
In this tutorial you will expose the nginx-proxy-conf configmap and the tls-certs secrets to the secure-monolith pod at runtime:
Examine the secure-monolith pod configuration file:
cat pods/secure-monolith.yaml
- How are secrets exposed to the
secure-monolithPod? - How are configmaps exposed to the
secure-monolithPod?
Create the secure-monolith Pod using kubectl:
kubectl create -f pods/secure-monolith.yaml
Forward local port 10443 to 443 of the secure-monolith Pod:
kubectl port-forward secure-monolith 10443:443
Use the curl command to test the HTTPS endpoint:
curl --cacert tls/ca.pem https://127.0.0.1:10443
Use the kubectl logs command to verify traffic to the secure-monolith Pod:
kubectl logs -c nginx secure-monolith
Secrets and Configmaps allow you to store application secrets and configuration data, then expose them to Pods at runtime. In this lab you learned how to expose Secrets and Configmaps to Pods using volume mounts. You also learned how to run multiple containers in a single Pod.