env/ directory contains data that you want to provide to your services as runtime parameters.
Currently, there's only one type of env data supported: secrets.
Imagine you need to pass confidential data, such as a database password or a Twitter consumer key, to a service.
You would use kploy's environment mechanism to provide this data; just make sure that you exclude the
env directory from your version control system (as in: add it, for example, to the .gitignore file).
In the following we have two chunks of secret data, a database password
dbpassword and a Twitter consumer key called
We want to provide these two secrets to services. First, we define them like so:
$ echo "abadpassword" > env/dbpassword.secret $ echo "075d077c888bb0c5a296ad1c65e07267b77c0a9eb264b914621d6b72c770cd84" > env/tck.secret
Note that if you want kploy to treat your env data as a Kubernetes Secret, you MUST add a
.secret file extension to the filename. Only then kploy picks it up and creates two entries in the (namespace-)global Secret
apiVersion: v1 kind: Secret metadata: name: kploy-secrets type: Opaque data: dbpassword: YWJhZHBhc3N3b3Jk tck: MDc1ZDA3N2M4ODhiYjBjNWEyOTZhZDFjNjVlMDcyNjdiNzdjMGE5ZWIyNjRiOTE0NjIxZDZiNzJjNzcwY2Q4NA==
In order for this to work, make sure that the file name (e.g,
tck.secret) is a DNS subdomain as defined in RFC 1035 and that the file size (the payload) does not exceed 1 MB: you'll get a warning if this is the case and your secrets will not be deployed, as a consequence. Note also that kploy will automatically perform the required base64 encoding.
After you've executed
kploy run you can see the secret available:
$ kubectl get secrets --namespace=myns NAME TYPE DATA AGE kploy-secrets Opaque 2 20s
In your app, you can consume a secret then as described below. Here, the password is only dumped to screen, but normally you'd use it for something more meaningful:
$ cat rcs/alpine-use-secret-rc.yaml apiVersion: v1 kind: ReplicationController metadata: name: use-secret-rc spec: replicas: 1 selector: app: secretdump template: metadata: labels: app: secretdump spec: volumes: - name: global-secrets secret: secretName: kploy-secrets containers: - image: alpine:2.7 name: alpine command: ["/bin/sh","-c"] args: ["while true ; do cat /tmp/dbpassword ; sleep 10 ; done"] volumeMounts: - mountPath: "/tmp" name: global-secrets
Note that the following part is fixed:
volumes: - name: global-secrets secret: secretName: kploy-secrets
What you will have to provide is the mount point, that is, setting
volumeMounts: - mountPath: "/tmp" name: global-secrets
How does it work?
What happens with
env/*.secret files is the following: on
kploy run (and only then) kploy will go through the list of files it finds and generate a (namespace-)global Kubernetes Secret called
kploy-secrets. Each secret input file
.secret kploy finds in the
env dir is mapped to a key-value pair that can be consumed from any pod in the app's namespace.
So, you'd start out with creating a bunch of
.secret files in
$ ls -al env/ drwxr-xr-x 2 mhausenblas staff 136 25 Dec 14:48 . drwxr-xr-x 9 mhausenblas staff 748 25 Dec 12:04 .. -rw-r--r--@ 1 mhausenblas staff 13 25 Dec 11:48 dbpassword.secret -rw-r--r-- 1 mhausenblas staff 65 25 Dec 14:48 tck.secret
This would be mapped to two entries in the (namespace-)global Secret called
kploy-secrets as so:
$ $ ./kploy list Resources of app `myns/simple_app`: [Services and RCs] NAME MANIFEST TYPE STATUS URL webserver-svc services/webserver-svc.yaml service online http://126.96.36.199/service/kubernetes/api/v1/namespaces/myns/services/webserver-svc use-secret-rc rcs/alpine-use-secret-rc.yaml RC online http://188.8.131.52/service/kubernetes/api/v1/namespaces/myns/replicationcontrollers/use-secret-rc webserver-rc rcs/nginx-webserver-rc.yaml RC online http://184.108.40.206/service/kubernetes/api/v1/namespaces/myns/replicationcontrollers/webserver-rc ================================================================================ [Secrets] URL: http://220.127.116.11/service/kubernetes/api/v1/namespaces/myns/secrets/kploy-secrets KEY VALUE tck 075d077c888bb0c5a296ad1c65e07267b77c0a9eb264b914621d6b72c770cd84 dbpassword abadpassword
Note that kploy will deploy the secret first thing, before any services or RCs are deployed and so that it is guaranteed that the secret data is available to all RCs on start-up.