LAB12a: More ConfigMap & Secret

LAB90a: More ConfigMap & Secrets

✔ All secret types ✔ Why base64 exists ✔ What happens when you give non-base64 data ✔ Use-cases of TLS, SSH, Docker, and others ✔ Full working examples:

Nginx + TLS config
Private Docker registry pull
SSH-based Pod running Ansible playbook stored in ConfigMap

1. SECRET TYPES IN KUBERNETES

Kubernetes supports several “flavors” of secrets:

Type

Meaning

Opaque

Default, arbitrary key-values

kubernetes.io/tls

Cert + key pair for HTTPS

kubernetes.io/dockerconfigjson

Docker registry credentials

kubernetes.io/basic-auth

username/password pairs

kubernetes.io/ssh-auth

SSH private keys

kubernetes.io/service-account-token

Auto-generated for SA

Each has a specific structure.

2. Why Values Are Base64?

✔ Binary-safe transport

You can store any bytes, not just printable characters.

✔ Consistent API formatting

✔ Avoid YAML parse issues

❓ What if you put plain text instead of base64?

Kubernetes will throw:

data: Invalid value: “mypassword”: invalid byte sequence

error: illegal base64 data at input byte…

Secrets must be base64 in .data. But you can use .stringData (K8s auto-encodes for you).

3. DIFFERENT SECRET USE CASES

CASE 1 — TLS SECRET + SIMPLE NGINX POD

Step 1: Generate TLS cert

openssl req -x509 -newkey rsa:2048 -nodes \
  -keyout tls.key \
  -out tls.crt \
  -subj "/CN=nginx.local"

Step 2: Create the TLS Secret

kubectl create secret tls my-tls-secret \
  --cert=tls.crt \
  --key=tls.key

This produces:

type: kubernetes.io/tls
data:
  tls.crt: <base64>
  tls.key: <base64>

Step 3: Nginx pod using TLS

apiVersion: v1
kind: Pod
metadata:
  name: nginx-tls
spec:
  containers:
    - name: nginx
      image: nginx
      ports:
        - containerPort: 443
      volumeMounts:
        - name: tls
          mountPath: /etc/nginx/tls
  volumes:
    - name: tls
      secret:
        secretName: my-tls-secret

Step 4: Custom Nginx conf (ConfigMap)

apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-tls-conf
data:
  default.conf: |
    server {
      listen 443 ssl;
      ssl_certificate     /etc/nginx/tls/tls.crt;
      ssl_certificate_key /etc/nginx/tls/tls.key;

      location / {
        return 200 "Hello TLS\n";
      }
    }

Mount this too:

volumeMounts:
  - name: tls
    mountPath: /etc/nginx/tls
  - name: conf
    mountPath: /etc/nginx/conf.d
volumes:
  - name: tls
    secret:
      secretName: my-tls-secret
  - name: conf
    configMap:
      name: nginx-tls-conf

Voilà — HTTPS Nginx in one Pod 🌤️

CASE 2 — DOCKER REGISTRY SECRET & PRIVATE IMAGE PULL

Step 1: Generate docker creds

If your private registry is registry.example.com:

docker login registry.example.com

This populates:

~/.docker/config.json

Step 2: Create Kubernetes Docker Secret

kubectl create secret docker-registry regcred \
  --docker-server=registry.example.com \
  --docker-username=myuser \
  --docker-password=mypassword \
  [email protected]

Dockerhub

kubectl create secret docker-registry regcred \
  --docker-server=https://index.docker.io/v1/ \
  --docker-username=YOUR_DOCKERHUB_USERNAME \
  --docker-password=YOUR_DOCKERHUB_PAT \
  [email protected]

Creates:

type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: <base64>

Step 3: Use secret in a Pod

apiVersion: v1
kind: Pod
metadata:
  name: my-private-pod
spec:
  imagePullSecrets:
    - name: regcred
  containers:
    - name: app
      image: registry.example.com/myapp:latest

CASE 3 — SSH SECRET + POD RUNNING ANSIBLE PLAYBOOK

Step 1: Generate SSH key

ssh-keygen -t rsa -b 2048 -f id_rsa -N ""

Copy the public key to remote:

ssh-copy-id -i id_rsa.pub ubuntu@remote-host

Step 2: Create SSH Secret

kubectl create secret generic ssh-secret \
  --from-file=ssh-privatekey=id_rsa \
  --type=kubernetes.io/ssh-auth

This generates:

type: kubernetes.io/ssh-auth
data:
  ssh-privatekey: <base64>

Step 3: Create Ansible Playbook in ConfigMap

apiVersion: v1
kind: ConfigMap
metadata:
  name: ansible-play
data:
  playbook.yml: |
    - hosts: all
      gather_facts: yes
      tasks:
        - name: Print host info
          debug:
            msg:
              - "Hostname: {{ ansible_hostname }}"
              - "IP: {{ ansible_default_ipv4.address }}"
              - "CPU: {{ ansible_processor_count }}"
              - "Memory: {{ ansible_memtotal_mb }} MB"
              - "Storage: {{ ansible_mounts[0].size_total }}"

Step 4: Pod With ssh + ansible-runner

apiVersion: v1
kind: Pod
metadata:
  name: ansible-runner
spec:
  containers:
    - name: ansible
      image: cytopia/ansible:latest
      command: ["/bin/sh", "-c"]
      args:
        - |
          mkdir -p /root/.ssh;
          cp /ssh/id_rsa /root/.ssh/id_rsa;
          chmod 600 /root/.ssh/id_rsa;
          ansible-playbook /play/playbook.yml -i 'remote-host,' -u ubuntu;
          sleep 3600;
      volumeMounts:
        - name: ssh
          mountPath: /ssh
        - name: play
          mountPath: /play
  volumes:
    - name: ssh
      secret:
        secretName: ssh-secret
        items:
          - key: ssh-privatekey
            path: id_rsa
    - name: play
      configMap:
        name: ansible-play

SUMMARY TABLE

Use Case

Secret Type

Why

TLS for HTTPS

kubernetes.io/tls

Cert + key pair

SSH access

kubernetes.io/ssh-auth

Private key only

Docker registry

kubernetes.io/dockerconfigjson

Auth to pull private images

Random app credentials

Opaque

Generic key-value

PreviousLAB12: ConfigMap & Secret NextLAB13: TLS Implementation

Last updated 1 month ago

Good night

hashtagLAB90a: More ConfigMap & Secrets

hashtag1. SECRET TYPES IN KUBERNETES

hashtag2. Why Values Are Base64?

hashtag✔ Binary-safe transport

hashtag✔ Consistent API formatting

hashtag✔ Avoid YAML parse issues

hashtag❓ What if you put plain text instead of base64?

hashtag3. DIFFERENT SECRET USE CASES

hashtagCASE 1 — TLS SECRET + SIMPLE NGINX POD

hashtagStep 1: Generate TLS cert

hashtagStep 2: Create the TLS Secret

hashtagStep 3: Nginx pod using TLS

hashtagStep 4: Custom Nginx conf (ConfigMap)

hashtagCASE 2 — DOCKER REGISTRY SECRET & PRIVATE IMAGE PULL

hashtagStep 1: Generate docker creds

hashtagStep 2: Create Kubernetes Docker Secret

hashtagStep 3: Use secret in a Pod

hashtagCASE 3 — SSH SECRET + POD RUNNING ANSIBLE PLAYBOOK

hashtagStep 1: Generate SSH key

hashtagStep 2: Create SSH Secret

hashtagStep 3: Create Ansible Playbook in ConfigMap

hashtagStep 4: Pod With ssh + ansible-runner

hashtagSUMMARY TABLE