passing application configuration using K8s configmaps

Question

How to pass in the application.properties to the Spring boot application using configmaps. Since the application.yml file contains sensitive information, this requires to pass in secrets and configmaps. In this case what options do we have to pass in both the sensitive and non-sensitive configuration data to the Spring boot pod. I am currently using Spring cloud config server and Spring cloud config server can encrypt the sensitive data using the encrypt.key and decrypt the key.

Answer 1

ConfigMaps as described by @paltaa would do the trick for non-sensitive information. For sensitive information I would use a sealedSecret.

Sealed Secrets is composed of two parts:

• A cluster-side controller / operator
• A client-side utility: kubeseal

The kubeseal utility uses asymmetric crypto to encrypt secrets that only the controller can decrypt.

These encrypted secrets are encoded in a SealedSecret resource, which you can see as a recipe for creating a secret.

Once installed you create your secret as normal and you can then:

kubeseal --format=yaml < secret.yaml > sealed-secret.yaml

You can safely push your sealedSecret to github etc.

This normal kubernetes secret will appear in the cluster after a few seconds and you can use it as you would use any secret that you would have created directly (e.g. reference it from a Pod).

Answer 2

You can mount Secret as volumes, the same as ConfigMaps. For example:

Create the secret.

kubectl create secret generic ssh-key-secret --from-file=application.properties

Then mount it as volume:

apiVersion: v1
kind: Pod
metadata:
  name: secret-test-pod
  labels:
    name: secret-test
spec:
  volumes:
  - name: secret-volume
    secret:
      secretName: ssh-key-secret
  containers:
  - name: ssh-test-container
    image: mySshImage
    volumeMounts:
    - name: secret-volume
      readOnly: true
  mountPath: "/etc/secret-volume"

More information in https://kubernetes.io/docs/concepts/configuration/secret/