Automating Configuration Updates: kubernetes-reflector vs Reloader

Managing and updating application configurations in a Kubernetes environment can be a complex and time-consuming task. This, usually manual handled taks, is performed by ConfigMaps or Secrets. And configuration can be updated, whether it be for credential updates or rotation, or toggling logging on or off, or updating a particular environment parameter. This routine process may lead to errors and downtime. We need a way for automating configuration updates, eliminating toil and making delivery process more repeatable and stable.

kubernetes-reflector

kubernetes-reflector is a custom Kubernetes controller that can be used to replicate secrets, configmaps and certificates. The tool, developed by emberstack, designed to monitor changes to resources and reflect changes to mirror resources in the same or other namespaces.

Reflector can be deployed either manually or using Helm (recommended):

$ helm repo add emberstack https://emberstack.github.io/helm-charts
$ helm repo update
$ helm upgrade --install reflector emberstack/reflector

Reflecting Resources

1. First, you need to annotate the source, adding

reflector.v1.k8s.emberstack.com/reflection-allowed: "true"

or permit reflection from only the list of comma separated namespaces or regular expressions:

reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "default,namespace-1|namespace-2"
Note: If this annotation is omitted or is empty, all namespaces are allowed.
apiVersion: v1
kind: ConfigMap
metadata:
 name: source-config-map
 annotations:
   reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
   reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "namespace-1,namespace-2,namespace-[0-9]*"
data:
 ...
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: source-certificate
spec:
  secretTemplate:
    annotations:
      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "namespace-1,namespace-2,namespace-[0-9]*"
  ...

2. Then, annotate the mirror resource with

reflector.v1.k8s.emberstack.com/reflects: "<source-namespace>/<source-name>"
Reflector will monitor any changes done to the source objects and copy the following fields:
data for secrets
data and binaryData for configmaps Reflector keeps track of what was copied by annotating mirrors with the source object version.
apiVersion: v1
kind: ConfigMap
metadata:
 name: mirror-config-map
 annotations:
   reflector.v1.k8s.emberstack.com/reflects: "default/source-config-map"
data:
 ...
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: mirror-certificate
spec:
  secretTemplate:
    annotations:
      reflector.v1.k8s.emberstack.com/reflects: "default/source-certificate"
  ...

Reloader

Reloader is a Kubernetes controller to watch changes in ConfigMap and Secrets and do rolling upgrades on Pods with their associated Deployment, StatefulSet, DaemonSet and DeploymentConfig. Developed by stakater, the tool available in open source version and enterprise, which supports SLA and Slack integration.

To deploy Reloader, use vanilla manifest:

kubectl apply -f https://raw.githubusercontent.com/stakater/Reloader/master/deployments/kubernetes/reloader.yaml

Usage

1. To watch for resource, first add annotation, by default:

reloader.stakater.com/auto: "true"

This will discover deploymentconfigs/deployments/daemonsets/statefulset/rollouts automatically where it is being used either via environment variable or from volume mount. And it will perform rolling upgrade on related pods when it updated.

2. Restrict this discovery to only ConfigMap or Secret objects that are tagged with a special annotation:

reloader.stakater.com/search: "true"

and Reloader will trigger the rolling upgrade upon modification:

kind: Deployment
metadata:
  annotations:
    reloader.stakater.com/search: "true"
spec:
  template:
...
---
kind: ConfigMap
metadata:
  annotations:
    reloader.stakater.com/match: "true"
data:
  key: value

3. To perform rolling upgrade when change happens only on specific resource use below annotation:

configmap.reloader.stakater.com/reload: "foo-configmap,bar-configmap"
kind: Deployment
metadata:
  annotations:
    configmap.reloader.stakater.com/reload: "foo-configmap,bar-configmap,baz-configmap"
spec:
  template: 
    metadata:
...
---
kind: Deployment
metadata:
  annotations:
    secret.reloader.stakater.com/reload: "foo-secret"
spec:
  template: 
    metadata:
...

Reloader supports two reload strategies:

  • env-vars. When a tracked configMap/secret is updated, this strategy attaches a Reloader specific environment variable to any containers referencing the changed configMap or secret on the owning resource (e.g., DeploymentStatefulSet, etc.). This strategy can be specified with the --reload-strategy=env-vars argument. Note: This is the default reload strategy.
  • annotations. When a tracked configMap/secret is updated, this strategy attaches a reloader.stakater.com/last-reloaded-from pod template annotation on the owning resource (e.g., DeploymentStatefulSet, etc.). This strategy is useful when using resource GitOps syncing tools like ArgoCD or Flux.

Comparison

kubernetes-reflectorReloader
Triggering resourcesConfigMap, Secret, CertificateConfigMap, Secret
Supported resourcesDeployment, cert-manager (since v1.5)Deployment, StatefulSet, DaemonSet and DeploymentConfig
Securityusing cert-manager, X.509 key usages and extended key usagesSHA1 encoding changes in ConfigMap, Secret
LanguageC#Go
LicenseMIT LicenseApache License 2.0
VersionsOpen sourceOpen source, Enterprise
SupportLast significant commit by 10.2021, ~ 50 stars, ~ 50 forksActive support, ~400 forks, > 5,5k stars

Hope, you like the post. For more Kubernetes content go to orchestration. Please follow me on Twitter or LinkedIn and subscribe to newsletter below.

Be an ethical, save your privacy!

subscribe to newsletter

and receive weekly update from our blog

By submitting your information, you're giving us permission to email you. You may unsubscribe at any time.

Leave a Comment

Discover more from #cybertechtalk

Subscribe now to keep reading and get access to the full archive.

Continue reading