Kubernetes
K8s
Last updated
Copyright© 2023 CloudTruth
K8s
Last updated
This walkthrough shows you how to use various methods of passing CloudTruth parameters to K8s as and . You also still have the option of using the pods.
Creating K8s Secrets
Creating K8s ConfigMaps
KubeTruth automated K8s config management
You have a working knowledge of K8s.
You have.
You have created one or more .
You have created a .
store your sensitive information such as your CloudTruth API key or any secrets required by your specific app. You can multiple ways.
Create a CLOUDTRUTH_API_KEY secret
The **** kubectl create secret
command will create a base64 encoded K8s secret. You can directly provide CLOUDTRUTH_API_KEY="YOUR_TOKEN"
as a literal to use in your pods with the CloudTruth CLI.
You can also store your secrets in CloudTruth and pass them directly to kubectl with the CloudTruth CLI. Here we have a parameter CLOUDTRUTH_API_KEY
created in CloudTruth and use the following cli command to retrieve and pass the value in one step.
You can also create K8s secrets by applying a yaml secret file. The secret must be base64 encoded in the yaml file itself.
Once your ConfigMap parameters are added to CloudTruth, create a CloudTruth ConfigMap template.
This is an example CloudTruth template for a flask application ConfigMap. CloudTruth will automatically populate values based on your specified environment.
Now you can easily create ConfigMaps across your customized projects and environments. This will directly apply a ConfigMap by using the CloudTruth cli to dynamically generate parameters from a template flask-configmap
in project Flask
.
Alternatively you can also use CloudTruth templates to generate yaml files for your configmaps.
With the ever growing number of services, managing a K8s deployment brings continuously expanding configuration complexity.
KubeTruth integrates with CloudTruth providing you an automated K8s configuration management system.
KubeTruth is designed to dynamically build and update K8s ConfigMaps and Secrets while providing you centralized control over your data across a sprawling combination of projects and environments.
You can get started by adding the CloudTruth repo to Helm.
Once installed KubeTruth will create ConfigMaps and Secrets for each CloudTruth project. It will dynamically poll CloudTruth and update any changes directly within K8s! This provides you a centralized management source for your pods configuration values.
ConfigMaps and Secrets managed by KubeTruth get created with a label: app.kubernetes.io/managed-by: kubetruth
You can find KubeTruth created resources with the -l option.
Here are some common use case examples of configuring the root installation and working with the CRD overrides.
Patch projectMappings.root.spec.context.resource_namespace
to create a namespace per CloudTruth project.
Inheriting parameters from a base project
If you have a common set of parameters that you would like to be present in all of your ConfigMaps and Secrets you can specify a project to import it's parameters across other projects.
You can patch projectMappings.root.spec.included_projects
which will import all Parameters from a CloudTruth project named base
into our other configmaps and secrets.
Inheritance is non-recursive. If project A imports B and B imports C, then A will only get B's parameters. For key conflicts, if project A includes [B, C], then the precedence is A overrides C overrides B.
You can create a kind: ProjectMapping
with an override scope for customization of naming conventions and key filters. This allows you to create custom configmaps and secrets that do not have to follow the exact project layout in CloudTruth.
Let's break down what the options in this override spec does to the resources it will create.
Take caution when applying generic overrides as they can affect all resources. Overrides can be can be combined with a project_selector to ensure they do not affect all project configmaps and secrets.
You can view your CRD root
and override
configurations with kubectl.
kubectl get projectmapping -A
Updating or adding a CRD will automatically trigger KubeTruth to poll. You can also automatically trigger an update by issuing the following command:
So you don't want KubeTruth to create ConfigMaps and Secrets for all of your services at go?
Here is an example that sets the Project Mapping root
to skip all projects on installation. It then specifies an override CRD called myoverride
that will select project MY_PROJECT
to be the only one configured at install time.
This is an example values.yaml file that will perform the same project mapping customizations as the command above.
Now you can install with the following helm command and pass in the values.yaml file.
You can find the open source KubeTruth Repository below with a detailed ReadMe.
Some basic KubeTruth rules.
The first rule of KubeTruth is to make sure you talk about KubeTruth!
KubeTruth will not delete created configmaps or secrets on uninstall.
KubeTruth will delete parameters from a configmap if removed from the CloudTruth project
KubeTruth will add parameters to a configmap if created in the CloudTruth project
KubeTruth will delete a secret from K8s secrets if removed from the CloudTruth project
KubeTruth will add a secret to K8s secrets if created in the CloudTruth project
KubeTruth will not overwrite any existing ConfigMaps and Secrets that do not have the label app.kubernetes.io/managed-by: kubetruth
K8s Secrets can then be accessed in standard ways. You can access your CloudTruth API key as an environment variable inside your Deployment yaml with .
Review the K8s docs for details on how secrets are stored as unencrypted base64-encoded strings.
allow you to store non secret type data in key-value pairs that can be consumed by pods in various ways. ConfigMaps can be built from parameters managed directly in CloudTruth providing you flexibility to build out a hierarchy of K8s projects and environments with unique keys and values.
You can now use helm to install KubeTruth in a dedicated namespace demokubetruth
. Provide your CloudTruth and the targeted CloudTruth .
Project requirements differ so KubeTruth allows customization with a Custom Resource Definition. This allows you to with standard K8s practices.
There are a wide variety of override options. Here is the full .
KubeTruth can also dynamically apply directly from a . This can be useful when you want customized configmaps or even application . KubeTruth will look for templates to apply by specifying them as templates.NAME
. The following override will apply CloudTruth template game-demo-template
in project configmap
. The template is formed as a ConfigMap in CloudTruth.
You can also customize the desired behavior of KubeTruth at install time using the Custom Resource Definition with Helm. All of the current can be used at install time.
Helm allows you to set all of these installation parameters in a file.
There are additional examples in the repository on how to use KubeTruth for as well as creating .
project_selector
Regex to to use CloudTruth project MY_PROJECT
.
key_selector
Regex to limit the key fetched in the project to contains FOO
.
context.resource_name
Renames the ConfigMap and Secret to custom-name
context.resource_namespace
Creates resources in new namespace custom-ns-name