Source from repo
Kubernetes Specialist

Deploy and manage Kubernetes workloads: manifests, RBAC, Helm charts, service mesh, GitOps, and troubleshooting.
jeffallanGitHub jeffallanSource repo Original GitHub link Publisher page
Files
Skill
n/a
Size
129.5 KB
Entrypoint
SKILL.md
Format
git-repo
Open file
references/configuration.md

Syntax-highlighted preview of this file as included in the skill package.
Rendered Source
markdown453 linesFree
references/configuration.md
1# Kubernetes Configuration Management
2 
3## ConfigMap Patterns
4 
5### Basic ConfigMap
6 
7```yaml
8apiVersion: v1
9kind: ConfigMap
10metadata:
11  name: app-config
12  namespace: production
13data:
14  # Simple key-value pairs
15  database.host: "postgres-service.database.svc.cluster.local"
16  database.port: "5432"
17  database.name: "appdb"
18 
19  # Multi-line configuration
20  app.properties: |
21    server.port=8080
22    logging.level=INFO
23    cache.enabled=true
24    cache.ttl=3600
25 
26  # JSON configuration
27  features.json: |
28    {
29      "featureA": true,
30      "featureB": false,
31      "maxConnections": 100
32    }
33 
34  # YAML configuration
35  config.yaml: |
36    server:
37      port: 8080
38      timeout: 30s
39    database:
40      pool_size: 20
41      max_connections: 100
42```
43 
44### ConfigMap from Files
45 
46```bash
47# Create from literal values
48kubectl create configmap app-config \
49  --from-literal=database.host=postgres \
50  --from-literal=database.port=5432
51 
52# Create from file
53kubectl create configmap nginx-config \
54  --from-file=nginx.conf
55 
56# Create from directory
57kubectl create configmap app-configs \
58  --from-file=configs/
59```
60 
61## Secret Patterns
62 
63### Opaque Secret (Generic)
64 
65```yaml
66apiVersion: v1
67kind: Secret
68metadata:
69  name: app-secrets
70  namespace: production
71type: Opaque
72stringData:
73  # Plain text (will be base64 encoded)
74  db-password: "MySecurePassword123!"
75  api-key: "sk-1234567890abcdef"
76  jwt-secret: "super-secret-jwt-key"
77data:
78  # Already base64 encoded
79  tls.crt: LS0tLS1CRUdJTi...
80  tls.key: LS0tLS1CRUdJTi...
81```
82 
83### TLS Secret
84 
85```yaml
86apiVersion: v1
87kind: Secret
88metadata:
89  name: example-tls
90  namespace: production
91type: kubernetes.io/tls
92stringData:
93  tls.crt: |
94    -----BEGIN CERTIFICATE-----
95    MIIDXTCCAkWgAwIBAgIJAKZ...
96    -----END CERTIFICATE-----
97  tls.key: |
98    -----BEGIN PRIVATE KEY-----
99    MIIEvQIBADANBgkqhkiG9w0B...
100    -----END PRIVATE KEY-----
101```
102 
103### Docker Registry Secret
104 
105```yaml
106apiVersion: v1
107kind: Secret
108metadata:
109  name: registry-credentials
110  namespace: production
111type: kubernetes.io/dockerconfigjson
112stringData:
113  .dockerconfigjson: |
114    {
115      "auths": {
116        "myregistry.io": {
117          "username": "myuser",
118          "password": "mypassword",
119          "email": "[email protected]",
120          "auth": "bXl1c2VyOm15cGFzc3dvcmQ="
121        }
122      }
123    }
124```
125 
126### Basic Auth Secret
127 
128```yaml
129apiVersion: v1
130kind: Secret
131metadata:
132  name: basic-auth
133  namespace: production
134type: kubernetes.io/basic-auth
135stringData:
136  username: admin
137  password: super-secret-password
138```
139 
140### SSH Auth Secret
141 
142```yaml
143apiVersion: v1
144kind: Secret
145metadata:
146  name: ssh-key
147  namespace: production
148type: kubernetes.io/ssh-auth
149stringData:
150  ssh-privatekey: |
151    -----BEGIN OPENSSH PRIVATE KEY-----
152    b3BlbnNzaC1rZXktdjEAAAAABG5vbmUA...
153    -----END OPENSSH PRIVATE KEY-----
154```
155 
156## Using ConfigMaps and Secrets
157 
158### Environment Variables
159 
160```yaml
161apiVersion: v1
162kind: Pod
163metadata:
164  name: app-pod
165spec:
166  containers:
167  - name: app
168    image: myapp:latest
169    env:
170    # Single value from ConfigMap
171    - name: DATABASE_HOST
172      valueFrom:
173        configMapKeyRef:
174          name: app-config
175          key: database.host
176 
177    # Single value from Secret
178    - name: DATABASE_PASSWORD
179      valueFrom:
180        secretKeyRef:
181          name: app-secrets
182          key: db-password
183 
184    # All keys from ConfigMap as env vars
185    envFrom:
186    - configMapRef:
187        name: app-config
188      prefix: CONFIG_
189 
190    # All keys from Secret as env vars
191    - secretRef:
192        name: app-secrets
193      prefix: SECRET_
194```
195 
196### Volume Mounts
197 
198```yaml
199apiVersion: v1
200kind: Pod
201metadata:
202  name: app-pod
203spec:
204  containers:
205  - name: app
206    image: myapp:latest
207    volumeMounts:
208    # Mount entire ConfigMap as directory
209    - name: config-volume
210      mountPath: /etc/config
211      readOnly: true
212 
213    # Mount specific key as file
214    - name: app-properties
215      mountPath: /etc/app/app.properties
216      subPath: app.properties
217      readOnly: true
218 
219    # Mount Secret as files
220    - name: secrets-volume
221      mountPath: /etc/secrets
222      readOnly: true
223 
224    # Mount TLS certificates
225    - name: tls-certs
226      mountPath: /etc/tls
227      readOnly: true
228 
229  volumes:
230  - name: config-volume
231    configMap:
232      name: app-config
233 
234  - name: app-properties
235    configMap:
236      name: app-config
237      items:
238      - key: app.properties
239        path: app.properties
240 
241  - name: secrets-volume
242    secret:
243      secretName: app-secrets
244      defaultMode: 0400  # Read-only for owner
245 
246  - name: tls-certs
247    secret:
248      secretName: example-tls
249```
250 
251## Immutable ConfigMaps and Secrets
252 
253```yaml
254apiVersion: v1
255kind: ConfigMap
256metadata:
257  name: immutable-config
258  namespace: production
259immutable: true
260data:
261  key: value
262---
263apiVersion: v1
264kind: Secret
265metadata:
266  name: immutable-secret
267  namespace: production
268type: Opaque
269immutable: true
270stringData:
271  password: "MyPassword123"
272```
273 
274## External Secrets Operator
275 
276```yaml
277apiVersion: external-secrets.io/v1beta1
278kind: ExternalSecret
279metadata:
280  name: app-secrets
281  namespace: production
282spec:
283  refreshInterval: 1h
284  secretStoreRef:
285    name: aws-secrets-manager
286    kind: SecretStore
287  target:
288    name: app-secrets
289    creationPolicy: Owner
290  data:
291  - secretKey: db-password
292    remoteRef:
293      key: prod/database/password
294  - secretKey: api-key
295    remoteRef:
296      key: prod/api/key
297---
298apiVersion: external-secrets.io/v1beta1
299kind: SecretStore
300metadata:
301  name: aws-secrets-manager
302  namespace: production
303spec:
304  provider:
305    aws:
306      service: SecretsManager
307      region: us-east-1
308      auth:
309        jwt:
310          serviceAccountRef:
311            name: external-secrets-sa
312```
313 
314## Sealed Secrets (GitOps)
315 
316```yaml
317apiVersion: bitnami.com/v1alpha1
318kind: SealedSecret
319metadata:
320  name: app-secrets
321  namespace: production
322spec:
323  encryptedData:
324    db-password: AgBj8xK5...encrypted...base64
325    api-key: AgCY9mL2...encrypted...base64
326  template:
327    metadata:
328      name: app-secrets
329      namespace: production
330    type: Opaque
331```
332 
333## Environment Variable Best Practices
334 
335### Structured Environment Variables
336 
337```yaml
338apiVersion: v1
339kind: Pod
340metadata:
341  name: app
342spec:
343  containers:
344  - name: app
345    image: myapp:latest
346    env:
347    # Application settings
348    - name: APP_NAME
349      value: "my-application"
350    - name: APP_ENV
351      value: "production"
352    - name: APP_VERSION
353      value: "v1.2.0"
354 
355    # Database configuration
356    - name: DB_HOST
357      valueFrom:
358        configMapKeyRef:
359          name: app-config
360          key: database.host
361    - name: DB_PORT
362      valueFrom:
363        configMapKeyRef:
364          name: app-config
365          key: database.port
366    - name: DB_NAME
367      valueFrom:
368        configMapKeyRef:
369          name: app-config
370          key: database.name
371    - name: DB_USER
372      valueFrom:
373        secretKeyRef:
374          name: app-secrets
375          key: db-username
376    - name: DB_PASSWORD
377      valueFrom:
378        secretKeyRef:
379          name: app-secrets
380          key: db-password
381 
382    # Kubernetes metadata
383    - name: POD_NAME
384      valueFrom:
385        fieldRef:
386          fieldPath: metadata.name
387    - name: POD_NAMESPACE
388      valueFrom:
389        fieldRef:
390          fieldPath: metadata.namespace
391    - name: POD_IP
392      valueFrom:
393        fieldRef:
394          fieldPath: status.podIP
395    - name: NODE_NAME
396      valueFrom:
397        fieldRef:
398          fieldPath: spec.nodeName
399 
400    # Resource limits
401    - name: MEMORY_LIMIT
402      valueFrom:
403        resourceFieldRef:
404          containerName: app
405          resource: limits.memory
406    - name: CPU_REQUEST
407      valueFrom:
408        resourceFieldRef:
409          containerName: app
410          resource: requests.cpu
411```
412 
413## Dynamic Configuration Updates
414 
415```yaml
416apiVersion: v1
417kind: Deployment
418metadata:
419  name: app
420spec:
421  template:
422    metadata:
423      annotations:
424        # Force pod restart on config change
425        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
426        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
427    spec:
428      containers:
429      - name: app
430        image: myapp:latest
431        volumeMounts:
432        - name: config
433          mountPath: /etc/config
434          readOnly: true
435      volumes:
436      - name: config
437        configMap:
438          name: app-config
439```
440 
441## Best Practices
442 
4431. **Separation**: Use ConfigMaps for non-sensitive data, Secrets for credentials
4442. **Immutability**: Mark production configs as immutable for safety
4453. **Versioning**: Include version in ConfigMap/Secret names for updates
4464. **Least Privilege**: Mount secrets as files with restrictive permissions (0400)
4475. **External Secrets**: Use External Secrets Operator for cloud secret managers
4486. **No Hardcoding**: Never hardcode secrets in container images
4497. **Encryption**: Enable encryption at rest for Secrets in etcd
4508. **GitOps**: Use Sealed Secrets for safe GitOps workflows
4519. **Rotation**: Implement secret rotation strategies
45210. **Validation**: Validate configuration before deployment
453
Preparing the source view

Kubernetes Specialist

references/configuration.md
