Managing and updating application configurations in a Kubernetes environment can be a complex and time-consuming task. This, usually manual handled taks, is performed by ConfigMaps or Secrets. And configuration can be updated, whether it be for credential updates or rotation, or toggling logging on or off, or updating a particular environment parameter. This routine process may lead to errors and downtime. We need a way for automating configuration updates, eliminating toil and making delivery process more repeatable and stable.
kubernetes-reflector
kubernetes-reflector is a custom Kubernetes controller that can be used to replicate secrets, configmaps and certificates. The tool, developed by emberstack, designed to monitor changes to resources and reflect changes to mirror resources in the same or other namespaces.
Reflector can be deployed either manually or using Helm (recommended):
$ helm repo add emberstack https://emberstack.github.io/helm-charts
$ helm repo update
$ helm upgrade --install reflector emberstack/reflector
Reflecting Resources
1. First, you need to annotate the source, adding
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
or permit reflection from only the list of comma separated namespaces or regular expressions:
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "default,namespace-1|namespace-2"
apiVersion: v1
kind: ConfigMap
metadata:
name: source-config-map
annotations:
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "namespace-1,namespace-2,namespace-[0-9]*"
data:
...
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: source-certificate
spec:
secretTemplate:
annotations:
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "namespace-1,namespace-2,namespace-[0-9]*"
...
2. Then, annotate the mirror resource with
reflector.v1.k8s.emberstack.com/reflects: "<source-namespace>/<source-name>"
data for secrets
data and binaryData for configmaps Reflector keeps track of what was copied by annotating mirrors with the source object version.
apiVersion: v1
kind: ConfigMap
metadata:
name: mirror-config-map
annotations:
reflector.v1.k8s.emberstack.com/reflects: "default/source-config-map"
data:
...
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: mirror-certificate
spec:
secretTemplate:
annotations:
reflector.v1.k8s.emberstack.com/reflects: "default/source-certificate"
...
Reloader
Reloader is a Kubernetes controller to watch changes in ConfigMap and Secrets and do rolling upgrades on Pods with their associated Deployment, StatefulSet, DaemonSet and DeploymentConfig. Developed by stakater, the tool available in open source version and enterprise, which supports SLA and Slack integration.
To deploy Reloader, use vanilla manifest:
kubectl apply -f https://raw.githubusercontent.com/stakater/Reloader/master/deployments/kubernetes/reloader.yaml
Usage
1. To watch for resource, first add annotation, by default:
reloader.stakater.com/auto: "true"
This will discover deploymentconfigs/deployments/daemonsets/statefulset/rollouts automatically where it is being used either via environment variable or from volume mount. And it will perform rolling upgrade on related pods when it updated.
2. Restrict this discovery to only ConfigMap
or Secret
objects that are tagged with a special annotation:
reloader.stakater.com/search: "true"
and Reloader will trigger the rolling upgrade upon modification:
kind: Deployment
metadata:
annotations:
reloader.stakater.com/search: "true"
spec:
template:
...
---
kind: ConfigMap
metadata:
annotations:
reloader.stakater.com/match: "true"
data:
key: value
3. To perform rolling upgrade when change happens only on specific resource use below annotation:
configmap.reloader.stakater.com/reload: "foo-configmap,bar-configmap"
kind: Deployment
metadata:
annotations:
configmap.reloader.stakater.com/reload: "foo-configmap,bar-configmap,baz-configmap"
spec:
template:
metadata:
...
---
kind: Deployment
metadata:
annotations:
secret.reloader.stakater.com/reload: "foo-secret"
spec:
template:
metadata:
...
Reloader supports two reload strategies:
- env-vars. When a tracked
configMap
/secret
is updated, this strategy attaches a Reloader specific environment variable to any containers referencing the changedconfigMap
orsecret
on the owning resource (e.g.,Deployment
,StatefulSet
, etc.). This strategy can be specified with the--reload-strategy=env-vars
argument. Note: This is the default reload strategy. - annotations. When a tracked
configMap
/secret
is updated, this strategy attaches areloader.stakater.com/last-reloaded-from
pod template annotation on the owning resource (e.g.,Deployment
,StatefulSet
, etc.). This strategy is useful when using resource GitOps syncing tools like ArgoCD or Flux.
Comparison
kubernetes-reflector | Reloader | |
Triggering resources | ConfigMap, Secret, Certificate | ConfigMap, Secret |
Supported resources | Deployment, cert-manager (since v1.5) | Deployment, StatefulSet, DaemonSet and DeploymentConfig |
Security | using cert-manager, X.509 key usages and extended key usages | SHA1 encoding changes in ConfigMap, Secret |
Language | C# | Go |
License | MIT License | Apache License 2.0 |
Versions | Open source | Open source, Enterprise |
Support | Last significant commit by 10.2021, ~ 50 stars, ~ 50 forks | Active support, ~400 forks, > 5,5k stars |
Hope, you like the post. For more Kubernetes content go to orchestration. Please follow me on Twitter or LinkedIn and subscribe to newsletter below.
Be an ethical, save your privacy!