Merge ConfigMap and Secrets

By on ・ Fusionner ConfigMap et Secrets ・

TL; DR

To use a Secret value within a ConfigMap you can use an initContainer to call a template engine.

The premise

In the previous post, I presented how to use kubernetes-event-exporter with Elasticsearch.

One of the problems I faced is that the tool doesn’t follow the configuration guidelines from the 12-factor app methodology.

That is to say, we have to put the credentials in the YAML configuration rather than in environment variable :-(

As for Kubernetes, it doesn’t allow us to mix Secret values within ConfigMap.

The solution

To solve that issue, we have 3 components:

  1. the Secret as-is
  2. the ConfigMap which will have the configuration as a template
  3. the initContainer that will merge the two

SecretMap

The secret comes from the ECK Operator ; we can get it with kubectl get secrets quickstart-es-elastic-user -o yaml :

apiVersion: v1
kind: Secret
data:
  elastic: YU80bnc4NzZWMXBWMThOZThqOFlnOE1r

ConfigMap

In the case of k8s-events-reporting the ConfigMap looks like this:

The important piece is the last line, <=% %> is the erb syntax to call ruby code, and ENV is a hash to acces the environment variables.

Why ERB?

  1. Because I ♥ Ruby !
  2. Because the erb command line comes with the ruby docker official image (there is no need for a custom Dockerfile and therefore no maintenance)

initContainer

Last but not least, here is the Deployment with the initContainer config that will craft the config file from both the Secret passed as an environment variable and the ConfigMap template. The event-exporter container can later use that file.