Back to Recording

Summary

Overview

This course module provides a comprehensive hands-on introduction to Kubernetes secrets, ConfigMaps, and the Container Storage Interface (CSI) for persistent storage. It covers the creation, management, and troubleshooting of secrets (including TLS and Docker config types), the use of ConfigMaps for non-sensitive configuration, and the implementation of persistent volumes and snapshots using the CSI HostPath driver in minikube. The session emphasizes practical workflows, decoding base64-encoded data, namespace scoping, and end-to-end ingress configuration with TLS termination. The instructor demonstrates real-world troubleshooting techniques by working backward from ingress failures to identify missing components like services and pods.

Topic (Timeline)

1. ConfigMaps and Secrets Fundamentals [00:00:00 - 00:03:11]

  • ConfigMaps are API objects for storing non-confidential key-value data; consumed by Pods as environment variables. Maximum size: 1 MB. Support both data (UTF-8 strings) and binaryData (base64-encoded binary).
  • Secrets are similar to ConfigMaps but designed for sensitive data. Also limited to 1 MB. Store data in data (base64-encoded) or stringData (plaintext, auto-encoded on creation).
  • Secrets are stored unencrypted by default in minikube; encryption at rest is required in production.
  • Secret types: kubernetes.io/dockerconfigjson (modern registry auth), kubernetes.io/dockercfg (legacy), kubernetes.io/basic-auth (Ingress basic auth), kubernetes.io/ssh-auth (SSH keys), and kubernetes.io/tls (TLS certificates and keys).

2. Container Storage Interface (CSI) and Persistent Volumes [00:03:11 - 00:06:16]

  • CSI is the Kubernetes standard for accessing block and file storage. minikube uses the CSI HostPath driver for basic volume support.
  • Persistent Volume (PV): cluster-level storage resource, independent of Pod lifecycle. Can be provisioned manually or dynamically.
  • Persistent Volume Claim (PVC): request for storage by a user/application. Specifies size and access modes: ReadWriteOnce, ReadOnlyMany, ReadWriteMany.
  • Analogy: PVs are like externally managed Docker volumes; PVCs are like requests to mount them.

3. ConfigMap and Secret Hands-On: Namespace Scoping and Base64 Encoding [00:06:16 - 00:10:01]

  • Created a ConfigMap with two key-value pairs (k8s-admin and access-level) and deployed a Job to consume it as environment variables.
  • Demonstrated that ConfigMaps are namespace-scoped: a Pod in a different namespace cannot access a ConfigMap in another.
  • Deleted and recreated the ConfigMap in the correct namespace to resolve access issues.
  • Created a base64-encoded string for a password and decoded it to show that encoding ≠ encryption — data is readable by anyone with access to the secret.

4. TLS Secret Creation and Ingress Configuration [00:10:01 - 00:18:42]

  • Generated a self-signed TLS certificate and private key (tls.crt, tls.key).
  • Created a TLS secret using kubectl create secret tls — automatically encodes and stores the cert/key in tls.crt and tls.key fields.
  • Decoded the secret using base64 to inspect the certificate and key in PEM format.
  • Used openssl x509 and openssl pkey to validate certificate details (issuer, expiration, key size).
  • Configured minikube ingress addon and created an Ingress resource referencing the TLS secret.
  • Troubleshooting workflow: Ingress failed due to mismatched namespace between Ingress and Service. Service was in default namespace; Ingress expected it in kube-system.
  • Corrected namespace in Service manifest, redeployed, and confirmed Ingress endpoints populated.
  • Deployed an nginx Pod with matching label selector to complete the service-to-pod connection.
  • Verified successful HTTPS access via browser.

5. Docker Config JSON Secret for Private Registries [00:19:35 - 00:20:51]

  • Created a kubernetes.io/dockerconfigjson secret for authenticating with a private container registry.
  • Decoded the secret’s .dockerconfigjson field using base64 to reveal the JSON structure containing username and password.
  • Emphasized that this is the modern method; legacy dockercfg is still supported but deprecated.

6. Persistent Volume Claims, Snapshots, and Restoration [00:21:48 - 00:32:36]

  • Enabled minikube storage add-ons: snapshot controller and CSI HostPath driver.
  • Inspected CSI components: DaemonSet with six containers (no resource limits/requests — noted as development-only).
  • Created a StorageClass (csi-hostpath-sc) and a PVC bound to it, which auto-provisioned a PV.
  • Created a VolumeSnapshot of the PVC using a VolumeSnapshotClass.
  • Attempted to restore from snapshot using a new PVC with dataSource pointing to the snapshot — failed due to namespace mismatch.
  • Fixed namespace in restore YAML, reapplied, and confirmed successful restoration of the volume.
  • Noted that CSI HostPath is a minimal implementation; production systems use advanced CSI drivers like Longhorn (with GUI, encryption, automated snapshots, HA).

7. Review and Summary [00:32:36 - 00:35:13]

  • Recap of key concepts:
    • ConfigMaps: non-sensitive data, 1 MB limit, UTF-8/base64 fields.
    • Secrets: sensitive data, 1 MB limit, base64-encoded, TLS and Docker config types.
    • TLS secrets: auto-encode cert/key, decode to inspect PEM format.
    • Docker config JSON secrets: authenticate with private registries.
    • PVs and PVCs: decoupled storage lifecycle, access modes.
    • CSI: modern storage interface; minikube uses HostPath; Longhorn for production.
    • Volume snapshots: create, restore, and manage data backups.
  • Concluded with note that NFS is legacy; modern clusters use CSI. Hybrid setups (stateless Pods + external DBs) are common.

Appendix

Key Principles

  • ConfigMaps ≠ Secrets: Use ConfigMaps for non-sensitive data; Secrets for credentials, certs, keys.
  • Encoding ≠ Encryption: Base64 is encoding — easily reversible. Secrets are not encrypted by default.
  • Namespace Isolation: ConfigMaps, Secrets, and Services are namespace-scoped. Ingress must match the namespace of its target Service.
  • CSI is Standard: Modern Kubernetes uses CSI for storage; avoid legacy methods like direct NFS unless required.

Tools Used

  • kubectl create configmap, kubectl create secret
  • base64 --decode for inspecting secret content
  • openssl x509 -in cert.pem -text -noout and openssl pkey -in key.pem -text -noout for certificate inspection
  • jq for parsing JSON in Kubernetes responses
  • minikube with ingress, storage-provisioner, and snapshot-controller addons

Common Pitfalls

  • Forgetting namespace alignment between Ingress, Service, and Pod.
  • Assuming base64-encoded secrets are secure — they are not encrypted.
  • Using csi-hostpath in production — it’s for development only; use Longhorn or cloud-native CSI drivers.
  • Not setting storageClassName in PVC when default is not configured.

Practice Suggestions

  • Recreate the TLS Ingress flow without following the video — troubleshoot missing endpoints.
  • Create a Docker config secret for a public registry (e.g., Docker Hub) and use it in a Pod spec.
  • Attempt to restore a snapshot into a different namespace — observe the failure and resolve.
  • Compare ConfigMap and Secret YAML structures side-by-side to understand field differences.