LAB12a: More ConfigMap & Secret

LAB90a: More ConfigMap & Secrets

✔ All secret types ✔ Why base64 exists ✔ What happens when you give non-base64 data ✔ Use-cases of TLS, SSH, Docker, and others ✔ Full working examples:

  • Nginx + TLS config

  • Private Docker registry pull

  • SSH-based Pod running Ansible playbook stored in ConfigMap


1. SECRET TYPES IN KUBERNETES

Kubernetes supports several “flavors” of secrets:

Type
Meaning

Opaque

Default, arbitrary key-values

kubernetes.io/tls

Cert + key pair for HTTPS

kubernetes.io/dockerconfigjson

Docker registry credentials

kubernetes.io/basic-auth

username/password pairs

kubernetes.io/ssh-auth

SSH private keys

kubernetes.io/service-account-token

Auto-generated for SA

Each has a specific structure.


2. Why Values Are Base64?

Binary-safe transport

You can store any bytes, not just printable characters.

Consistent API formatting

Avoid YAML parse issues

❓ What if you put plain text instead of base64?

Kubernetes will throw:

or

Secrets must be base64 in .data. But you can use .stringData (K8s auto-encodes for you).


3. DIFFERENT SECRET USE CASES


CASE 1 — TLS SECRET + SIMPLE NGINX POD

Step 1: Generate TLS cert

Step 2: Create the TLS Secret

This produces:


Step 3: Nginx pod using TLS

Step 4: Custom Nginx conf (ConfigMap)

Mount this too:

Voilà — HTTPS Nginx in one Pod 🌤️


CASE 2 — DOCKER REGISTRY SECRET & PRIVATE IMAGE PULL

Step 1: Generate docker creds

If your private registry is registry.example.com:

This populates:


Step 2: Create Kubernetes Docker Secret

Dockerhub

Creates:


Step 3: Use secret in a Pod


CASE 3 — SSH SECRET + POD RUNNING ANSIBLE PLAYBOOK


Step 1: Generate SSH key

Copy the public key to remote:


Step 2: Create SSH Secret

This generates:


Step 3: Create Ansible Playbook in ConfigMap


Step 4: Pod With ssh + ansible-runner


SUMMARY TABLE

Use Case
Secret Type
Why

TLS for HTTPS

kubernetes.io/tls

Cert + key pair

SSH access

kubernetes.io/ssh-auth

Private key only

Docker registry

kubernetes.io/dockerconfigjson

Auth to pull private images

Random app credentials

Opaque

Generic key-value

Last updated