My use of Kubernetes so far has been quite limited, my primary use has been for configuration storage including passwords or secrets. General information is available at Production-Grade Container Orchestration - Kubernetes.
The command line documentation for "kubectl" is available at Kubectl Reference Docs.
This is a good introduction video, for those that are new to Kubernetes.
I don't fully understand this yet so do feel free to comment or advise me. My work has involved two types of configuration, secrets and config maps, however to be clear that is "secret generic" rather than the other types of secret that are available. It is worth reading Secrets - Kubernetes and Configure a Pod to Use a ConfigMap - Kubernetes for some background on these.
There are a couple of other things to be aware of, firstly there are Kubernetes Clusters and you will most likely have different clusters for different environments, secondly there are namespaces, which can be a useful way of using the same cluster for different purposes. Before we can interact with a Kubernetes Cluster we need to authenticate to it. My work has been based on Google Cloud Platform hence my account was first authenticated with this. Then I could use the following command:gcloud container clusters get-credentials geoffs-cluster --project=geoff-demo-project --zone=europe-west1-a
You can see that I have a GCP project called "geoff-demo-project" and in this there is a Kubernetes cluster called "geoffs-cluster", so this is where the configuration is going to be stored.
Let's first create a secret, usually this is a password, however I am clearly not going to put a real one here, but you get the idea:kubectl create secret generic geoffs-password --namespace=dev --from-literal=SYSTEM_PASSWORD=mysecretpassword
This will store "mysecretpassword" as SYSTEM_PASSWORD, we can get this back as follows:kubectl get secret geoffs-password --namespace=dev
However the output from this will really just confirm it exists and how old it is, sokubectl get secret geoffs-password --namespace=dev --output=json
Will give you the password and the metadata for the configuration item. However you will notice the password is Base 64 encoded, first though let's get just the password and fortunately there is an easy way to do this:kubectl get secret geoffs-password --namespace=dev --output=jsonpath='{$.data.SYSTEM_PASSWORD}'
Which does just the password, which if you then pipe into the base64 command you can decode itkubectl get secret geoffs-password --namespace=dev --output=jsonpath='{$.data.SYSTEM_PASSWORD}' | base64 --decode
Of course this you can then temporarily store in an environment variable or something but do use it with care! Sometimes things move on and you want to remove items, so this is done as follows:kubectl delete secret geoffs-password --namespace=dev
One interesting issue I came across is that if your password has some special characters in then using --from-literal might not work, hence you will need to use --from-file. Working with the example above, let's consider what you would do. The first step is to put the password into a file, this needs to a plain text file with no "new line" characters on the end, so first, do this:echo -n 'mysecretpassword' > ./SYSTEM_PASSWORD
It is important to note that the exact name of the file is what the item is named, so if you add ".txt" this will become part of the item name! The "-n" switch tells the echo command to not append a new line, without it this would be added and then become part of the password. Now that we have the file then the following command will work:kubectl create secret generic geoffs-password --namespace=dev --from-file=./SYSTEM_PASSWORD
Lastly, don't forget to delete the file!
With a config map there is arguably a lot more stuff that you would want to store, however the approach and technique is very similar, so have a look at the following:kubectl get configmaps --namespace=devkubectl create configmap system-data --namespace=testkubectl create configmap system-data --namespace=dev --from-literal=MY-URL=https://geoffdoesstuff.com --from-literal=USER=fictionkubectl get configmap system-data --namespace=dev --output=jsonkubectl get configmap system-data --namespace=dev --output=jsonpath='{$.data.MY-URL}'kubectl delete configmap system-data --namespace=dev
There is a lot more to this, however I hope this jogs my memory in future and gives others a good starting point.
In all the examples above we have worked with just one cluster, however you might have a second cluster in your project. So first off you need to authenticate with it:gcloud container clusters get-credentials geoffs-cluster-two --project=geoff-demo-project --zone=europe-west1-a
Then you can execute the following command to see your list of authenticated contexts:kubectl config get-contexts
This will lists your context and from the NAME column you can then switch contexts as follows:kubectl config use-context <context-name>
You can tell this has worked because the asterisk in the "get-contexts" command output will have moved.
I have not used these myself but a respected colleague recommended the following:
dtan4/k8sec: CLI tool to manage Kubernetes Secrets easily - which should help with secrets
wercker/stern: Multi pod and container log tailing for Kubernetes - a handy logging analysis tool
ahmetb/kubectl-tree: kubectl plugin to browse Kubernetes object hierarchies as a tree - not used but looks interesting
Depending on requirements there are some Kubernetes alternatives that might be useful:
Welcome! | minikube
MicroK8s - Zero-ops Kubernetes for developers, edge and IoT
These might be handy:
Kubernetes Cheat Sheet – Linux Academy