In this chapter, we will show how to use and store sensitive and non-sensitive application configurations properly.

In previous chapters, we added the configuration directly to containers during the build or used the container’s environment variables to pass parameters during the deployment.

Now, you will learn how to store application parameters in ConfigMaps and Secrets for security and flexibility. We will show how you can use Helm chart values and werf secrets and discuss parameterization and configuration reuse approaches. In addition, you will learn how to store sensitive data along with the code in the application’s Git repository.

The application described in this chapter is not intended for use in production environments as-is. Note that successful completion of this entire guide is required to create a production-ready application.

Preparing the environment

If you haven’t prepared your environment during previous steps, please, do it using the instructions provided in the “Preparing the environment” chapter.

If your environment has stopped working or instructions in this chapter don’t work, please, refer to these hints:

Is Docker running?

Let’s launch Docker Desktop. It takes some time for this application to start Docker. If there are no errors during the startup process, check that Docker is running and is properly configured:

docker run hello-world

You will see the following output if the command completes successfully:

Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
b8dfde127a29: Pull complete
Digest: sha256:9f6ad537c5132bcce57f7a0a20e317228d382c3cd61edae14650eec68b2b345c
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

Should you have any problems, please refer to the Docker documentation.

Let’s launch the Docker Desktop application. It takes some time for the application to start Docker. If there are no errors during the startup process, then check that Docker is running and is properly configured:

docker run hello-world

You will see the following output if the command completes successfully:

Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
b8dfde127a29: Pull complete
Digest: sha256:9f6ad537c5132bcce57f7a0a20e317228d382c3cd61edae14650eec68b2b345c
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

Should you have any problems, please refer to the Docker documentation.

Start Docker:

sudo systemctl restart docker

Make sure that Docker is running:

sudo systemctl status docker

If the Docker start is successful, you will see the following output:

● docker.service - Docker Application Container Engine
     Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2021-06-24 13:05:17 MSK; 13s ago
TriggeredBy: ● docker.socket
       Docs: https://docs.docker.com
   Main PID: 2013888 (dockerd)
      Tasks: 36
     Memory: 100.3M
     CGroup: /system.slice/docker.service
             └─2013888 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

dockerd[2013888]: time="2021-06-24T13:05:16.936197880+03:00" level=warning msg="Your kernel does not support CPU realtime scheduler"
dockerd[2013888]: time="2021-06-24T13:05:16.936219851+03:00" level=warning msg="Your kernel does not support cgroup blkio weight"
dockerd[2013888]: time="2021-06-24T13:05:16.936224976+03:00" level=warning msg="Your kernel does not support cgroup blkio weight_device"
dockerd[2013888]: time="2021-06-24T13:05:16.936311001+03:00" level=info msg="Loading containers: start."
dockerd[2013888]: time="2021-06-24T13:05:17.119938367+03:00" level=info msg="Loading containers: done."
dockerd[2013888]: time="2021-06-24T13:05:17.134054120+03:00" level=info msg="Daemon has completed initialization"
systemd[1]: Started Docker Application Container Engine.
dockerd[2013888]: time="2021-06-24T13:05:17.148493957+03:00" level=info msg="API listen on /run/docker.sock"

Now let’s check if Docker is available and its configuration is correct:

docker run hello-world

You will see the following output if the command completes successfully:

Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
b8dfde127a29: Pull complete
Digest: sha256:9f6ad537c5132bcce57f7a0a20e317228d382c3cd61edae14650eec68b2b345c
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

Should you have any problems, please refer to the Docker documentation.

Have you restarted the computer after setting up the environment?

Let’s start the minikube cluster we have already configured in the “Preparing the environment” chapter:

minikube start

Set the default Namespace so that you don’t have to specify it every time you invoke kubectl:

kubectl config set-context minikube --namespace=werf-guide-app

You will see the following output if the command completes successfully:

😄  minikube v1.20.0 on Ubuntu 20.04
✨  Using the docker driver based on existing profile
👍  Starting control plane node minikube in cluster minikube
🚜  Pulling base image ...
🎉  minikube 1.21.0 is available! Download it: https://github.com/kubernetes/minikube/releases/tag/v1.21.0
💡  To disable this notice, run: 'minikube config set WantUpdateNotification false'

🔄  Restarting existing docker container for "minikube" ...
🐳  Preparing Kubernetes v1.20.2 on Docker 20.10.6 ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/google_containers/kube-registry-proxy:0.4
    ▪ Using image k8s.gcr.io/ingress-nginx/controller:v0.44.0
    ▪ Using image registry:2.7.1
    ▪ Using image docker.io/jettech/kube-webhook-certgen:v1.5.1
    ▪ Using image docker.io/jettech/kube-webhook-certgen:v1.5.1
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🔎  Verifying registry addon...
🔎  Verifying ingress addon...
🌟  Enabled addons: storage-provisioner, registry, default-storageclass, ingress
🏄  Done! kubectl is now configured to use "minikube" cluster and "werf-guide-app" namespace by default

Make sure that the command output contains the following line:

Restarting existing docker container for "minikube"

Its absence means that a new minikube cluster was created instead of using the old one. In this case, repeat all the steps required to install the environment using minikube.

Now run the command in the background PowerShell terminal (do not close its window):

minikube tunnel --cleanup=true

Let’s start the minikube cluster we have already configured in the “Preparing the environment” chapter:

minikube start --namespace werf-guide-app

Set the default Namespace so that you don’t have to specify it every time you invoke kubectl:

kubectl config set-context minikube --namespace=werf-guide-app

You will see the following output if the command completes successfully:

😄  minikube v1.20.0 on Ubuntu 20.04
✨  Using the docker driver based on existing profile
👍  Starting control plane node minikube in cluster minikube
🚜  Pulling base image ...
🎉  minikube 1.21.0 is available! Download it: https://github.com/kubernetes/minikube/releases/tag/v1.21.0
💡  To disable this notice, run: 'minikube config set WantUpdateNotification false'

🔄  Restarting existing docker container for "minikube" ...
🐳  Preparing Kubernetes v1.20.2 on Docker 20.10.6 ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/google_containers/kube-registry-proxy:0.4
    ▪ Using image k8s.gcr.io/ingress-nginx/controller:v0.44.0
    ▪ Using image registry:2.7.1
    ▪ Using image docker.io/jettech/kube-webhook-certgen:v1.5.1
    ▪ Using image docker.io/jettech/kube-webhook-certgen:v1.5.1
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🔎  Verifying registry addon...
🔎  Verifying ingress addon...
🌟  Enabled addons: storage-provisioner, registry, default-storageclass, ingress
🏄  Done! kubectl is now configured to use "minikube" cluster and "werf-guide-app" namespace by default

Make sure that the command output contains the following line:

Restarting existing docker container for "minikube"

Its absence means that a new minikube cluster was created instead of using the old one. In this case, repeat all the steps required to install the environment from scratch using minikube.

Did you accidentally delete the application's Namespace?

If you have inadvertently deleted Namespace of the application, you must run the following commands to proceed with the guide:

kubectl create namespace werf-guide-app
kubectl create secret docker-registry registrysecret \
  --docker-server='https://index.docker.io/v1/' \
  --docker-username='<Docker Hub username>' \
  --docker-password='<Docker Hub password>'

You will see the following output if the command completes successfully:

namespace/werf-guide-app created
secret/registrysecret created
Nothing helps; the environment or instructions keep failing.

If nothing worked, repeat all the steps described in the “Preparing the environment” chapter and create a new environment from scratch. If creating an environment from scratch did not help either, please, tell us about your problem in our Telegram chat or create an issue on GitHub. We will be happy to help you!

Preparing the repository

Update the existing repository containing the application:

Run the following commands in PowerShell:

cd ~/werf-guide/app

# To see what changes we will make later in this chapter, let's replace all the application files
# in the repository with new, modified files containing the changes described below.
git rm -r .
cp -Recurse -Force ~/werf-guide/guides/examples/java_springboot/080_configuration/* .
git add .
git commit -m WIP
What changes we will make
# Enter the command below to show the files we are going to change.
git show --stat
# Enter the command below to show the changes that will be made.
git show

Run the following commands in Bash:

cd ~/werf-guide/app

# To see what changes we will make later in this chapter, let's replace all the application files
# in the repository with new, modified files containing the changes described below.
git rm -r .
cp -rf ~/werf-guide/guides/examples/java_springboot/080_configuration/. .
git add .
git commit -m WIP
What changes we will make
# Enter the command below to show files we are going to change.
git show --stat
# Enter the command below to show the changes that will be made.
git show

Doesn’t work? Try the instructions on the “I am just starting from this chapter” tab above.

Prepare a new repository with the application:

Run the following commands in PowerShell:

# Clone the example repository to ~/werf-guide/guides (if you have not cloned it yet).
if (-not (Test-Path ~/werf-guide/guides)) {
  git clone https://github.com/werf/website $env:HOMEPATH/werf-guide/guides
}

# Copy the (unchanged) application files to ~/werf-guide/app.
rm -Recurse -Force ~/werf-guide/app
cp -Recurse -Force ~/werf-guide/guides/examples/java_springboot/050_s3 ~/werf-guide/app

# Make the ~/werf-guide/app directory a git repository.
cd ~/werf-guide/app
git init
git add .
git commit -m initial

# To see what changes we will make later in this chapter, let's replace all the application files
# in the repository with new, modified files containing the changes described below.
git rm -r .
cp -Recurse -Force ~/werf-guide/guides/examples/java_springboot/080_configuration/* .
git add .
git commit -m WIP
What changes we will make
# Enter the command below to show the files we are going to change.
git show --stat
# Enter the command below to show the changes that will be made.
git show

Run the following commands in Bash:

# Clone the example repository to ~/werf-guide/guides (if you have not cloned it yet).
test -e ~/werf-guide/guides || git clone https://github.com/werf/website ~/werf-guide/guides

# Copy the (unchanged) application files to ~/werf-guide/app.
rm -rf ~/werf-guide/app
cp -rf ~/werf-guide/guides/examples/java_springboot/050_s3 ~/werf-guide/app

# Make the ~/werf-guide/app directory a git repository.
cd ~/werf-guide/app
git init
git add .
git commit -m initial

# To see what changes we will make later in this chapter, let's replace all the application files
# in the repository with new, modified files containing the changes described below.
git rm -r .
cp -rf ~/werf-guide/guides/examples/java_springboot/080_configuration/. .
git add .
git commit -m WIP
What changes we will make
# Enter the command below to show files we are going to change.
git show --stat
# Enter the command below to show the changes that will be made.
git show

ConfigMap and Secret

ConfigMap and Secret Kubernetes resources allow you to separate environment-dependent and context-specific configuration from container images.

Both objects store data in key-value pairs and provide them to Pods as environment variables, command-line arguments, or configuration files mounted in a selected container.

ConfigMap stores non-confidential data, while Secret stores confidential data (various secret types).

You can learn more about these resource types in the official Kubernetes documentation (ConfigMaps, Secrets). This chapter discusses various use cases for ConfigMaps and Secrets using our application as an example.

Storing application’s config files in the ConfigMap

Currently, the nginx.conf config file gets copied into the image during the build. As a result, the image is rebuilt, and Pods are restarted each time the file is modified. In addition, there is no easy way to benefit from templating in our nginx.conf.

You can get around these obstacles by moving .werf/nginx.conf into a dedicated ConfigMap. This way, you can mount nginx.conf when deploying instead of adding the file during the build:

apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-conf
data:
  nginx.conf: |
    user nginx;
    worker_processes 1;
    pid /run/nginx.pid;

    events {
      worker_connections 1024;
    }

    http {
      include /etc/nginx/mime.types;
      default_type application/octet-stream;

      upstream backend {
        server 127.0.0.1:8080 fail_timeout=0;
      }

      server {
        listen 80;
        server_name _;

        root /www;

        client_max_body_size 100M;
        keepalive_timeout 10s;

        # For the /static path, assets are delivered directly from the NGINX container file system.
        location /static {
          # Due to the nature of the Webpack's bundling mechanism, the client can keep an asset cache
          # for as long as necessary without worrying about invalidation.
          expires 1y;
          add_header Cache-Control public;
          add_header Last-Modified "";
          add_header ETag "";

          # Serve pre-compressed files if possible (instead of compressing them on the fly).
          gzip_static on;

          access_log off;

          try_files $uri =404;
        }

        # The media assets (pictures, etc.) will also be retrieved from the NGINX container file system,
        # however, we will disable gzip compression for them.
        location /static/images {
          expires 1y;
          add_header Cache-Control public;
          add_header Last-Modified "";
          add_header ETag "";

          access_log off;

          try_files $uri =404;
        }

        # All requests, except for asset requests, are routed to the Node.js backend.
        location / {
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header Host $http_host;
          proxy_redirect off;

          proxy_pass http://backend;
        }
      }
    }
apiVersion: v1 kind: ConfigMap metadata: name: nginx-conf data: nginx.conf: | user nginx; worker_processes 1; pid /run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; upstream backend { server 127.0.0.1:8080 fail_timeout=0; } server { listen 80; server_name _; root /www; client_max_body_size 100M; keepalive_timeout 10s; # For the /static path, assets are delivered directly from the NGINX container file system. location /static { # Due to the nature of the Webpack's bundling mechanism, the client can keep an asset cache # for as long as necessary without worrying about invalidation. expires 1y; add_header Cache-Control public; add_header Last-Modified ""; add_header ETag ""; # Serve pre-compressed files if possible (instead of compressing them on the fly). gzip_static on; access_log off; try_files $uri =404; } # The media assets (pictures, etc.) will also be retrieved from the NGINX container file system, # however, we will disable gzip compression for them. location /static/images { expires 1y; add_header Cache-Control public; add_header Last-Modified ""; add_header ETag ""; access_log off; try_files $uri =404; } # All requests, except for asset requests, are routed to the Node.js backend. location / { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_redirect off; proxy_pass http://backend; } } }

Now, let’s add our ConfigMap to the Deployment — we will mount it as a file in the frontend container:

  ...
  - name: frontend
    image: {{ .Values.werf.image.frontend }}
    ports:
      - containerPort: 80
    volumeMounts:
    - mountPath: /etc/nginx/nginx.conf
      subPath: nginx.conf
      name: nginx-conf
volumes:
  - name: nginx-conf
    configMap:
      name: nginx-conf
... - name: frontend image: {{ .Values.werf.image.frontend }} ports: - containerPort: 80 volumeMounts: - mountPath: /etc/nginx/nginx.conf subPath: nginx.conf name: nginx-conf volumes: - name: nginx-conf configMap: name: nginx-conf

We also need to delete the no longer needed .werf/nginx.conf as well as a command to copy this file to an image during the build. The Dockerfile for the frontend image will look as follows:

...
FROM nginx:stable-alpine as frontend
WORKDIR /www
ADD src/main/resources/static /www/static/
... FROM nginx:stable-alpine as frontend WORKDIR /www ADD src/main/resources/static /www/static/

Handling ConfigMap and Secret changes

Note that by default, changes in ConfigMaps or Secrets mounted in a Deployment, StatefulSet, or DaemonSet will not trigger Pod restarts for the new configuration to take effect. To trigger Pod restart, you need to add annotations with checksums of all ConfigMaps and Secrets used by this Pod. In this case, the annotations will change in response to ConfigMap and Secret modifications, leading to the Pod restart. Below is an example of an annotation that includes the checksum of the nginx.conf ConfigMap:

...
template:
  metadata:
    labels:
      app: werf-guide-app
    annotations:
      checksum/configmap-nginx: '{{ include (print $.Template.BasePath "/configmap-nginx.yaml") . | sha256sum }}'
... template: metadata: labels: app: werf-guide-app annotations: checksum/configmap-nginx: '{{ include (print $.Template.BasePath "/configmap-nginx.yaml") . | sha256sum }}'

Note that you will need a unique annotation for each mounted ConfigMap/Secret.

The authors of this tutorial prefer to use operators like stakater/Reloader instead of checksum-containing annotations because they are simpler, more flexible, and easier to work with.

Values

Using a Helm chart to deploy an application has many advantages — for example, you can create manifest templates with Helm charts. Values is the key built-in templating object. With it, you can access values passed to the chart from various sources.

When using werf, all data passed to the chart can be grouped into several categories:

Reusing configuration with Values and ConfigMaps

Frequently used parameters can be put into .helm/values.yaml:

...
mysql:
  envs:
    MYSQL_DATABASE: "werf-guide-app"
  storageSize: "100Mi"
... mysql: envs: MYSQL_DATABASE: "werf-guide-app" storageSize: "100Mi"

… to make manifest configuration easier:

      ...
      envFrom:
        - configMapRef:
            name: db-envs
        - secretRef:
            name: db-envs
volumeClaimTemplates:
- metadata:
    name: mysql-data
  spec:
    accessModes: ["ReadWriteOnce"]
    resources:
      requests:
        storage: "{{ .Values.mysql.storageSize }}"
... envFrom: - configMapRef: name: db-envs - secretRef: name: db-envs volumeClaimTemplates: - metadata: name: mysql-data spec: accessModes: ["ReadWriteOnce"] resources: requests: storage: "{{ .Values.mysql.storageSize }}"

This way, you can adjust the parameters to the specific environment (we will discuss this in more detail in the following tutorial chapters).

Probably, the most useful feature is the ability to place repetitive configuration snippets into .helm/values.yaml. For example, you can store in this file environment variables used in multiple places:

...
app:
  envs:
    LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_WEB: "INFO"
    MINIO_ROOT_USER: "minioadmin"
... app: envs: LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_WEB: "INFO" MINIO_ROOT_USER: "minioadmin"

The environment variables from .Values.app.envs can be inserted either into the container manifest as env values (as we did before), or you can put them into the ConfigMap and load it into the container via envFrom.

The first option is easier to do, but the ConfigMap option is more convenient if you have a large number of shared environment variables. This way, you will avoid duplicating them between controllers. Your ConfigMap may look like this:

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-envs
data:
  {{- range $key, $val := .Values.app.envs }}
  "{{ $key }}": "{{ $val }}"
  {{- end }}
apiVersion: v1 kind: ConfigMap metadata: name: app-envs data: {{- range $key, $val := .Values.app.envs }} "{{ $key }}": "{{ $val }}" {{- end }}

Now you can use envFrom in the Deployment to define ConfigMap’s data as container environment variables:

...
containers:
  - name: backend
    image: {{ .Values.werf.image.backend }}
    command:
      - sh
      - -euc
      - |
        is_mysql_available() {
          tries=$1
          i=0
          while [ $i -lt $tries ]; do
            mysqladmin -h mysql -P 3306 -u root -p=password ping || return 1
            i=$((i+1))
            sleep 1
          done
        }
        # Waiting for `mysqladmin ping` to run 10 times in a row.
        until is_mysql_available 10; do
          sleep 1
        done
        is_minio_available() {
          tries=$1
          i=0
          while [ $i -lt $tries ]; do
            curl -sSL http://minio:9000/minio/health/live || return 1
            i=$((i+1))
            sleep 1
          done
        }
        # Waiting for MinIO to become available.
        until is_minio_available 10; do
          sleep 1
        done
        java -jar ./app.jar

    ports:
      - containerPort: 8080
    envFrom:
      - configMapRef:
          name: app-envs
... containers: - name: backend image: {{ .Values.werf.image.backend }} command: - sh - -euc - | is_mysql_available() { tries=$1 i=0 while [ $i -lt $tries ]; do mysqladmin -h mysql -P 3306 -u root -p=password ping || return 1 i=$((i+1)) sleep 1 done } # Waiting for `mysqladmin ping` to run 10 times in a row. until is_mysql_available 10; do sleep 1 done is_minio_available() { tries=$1 i=0 while [ $i -lt $tries ]; do curl -sSL http://minio:9000/minio/health/live || return 1 i=$((i+1)) sleep 1 done } # Waiting for MinIO to become available. until is_minio_available 10; do sleep 1 done java -jar ./app.jar ports: - containerPort: 8080 envFrom: - configMapRef: name: app-envs

Don’t forget to add checksum-containing annotations to trigger Pod re-deployment in response to ConfigMap changes:

...
template:
  metadata:
    labels:
      app: werf-guide-app
    annotations:
      checksum/configmap-nginx: '{{ include (print $.Template.BasePath "/configmap-nginx.yaml") . | sha256sum }}'
      checksum/configmap-app-envs: '{{ include (print $.Template.BasePath "/configmap-app-envs.yaml") . | sha256sum }}'
... template: metadata: labels: app: werf-guide-app annotations: checksum/configmap-nginx: '{{ include (print $.Template.BasePath "/configmap-nginx.yaml") . | sha256sum }}' checksum/configmap-app-envs: '{{ include (print $.Template.BasePath "/configmap-app-envs.yaml") . | sha256sum }}'

Similarly, you can load this ConfigMap into other resources that use the same environment variables.

Handling confidential data using Values and Secrets

To start working with secrets, you first need to generate a symmetric encryption key. You can use the following command to do this: werf helm secret generate-secret-key. However, since we have already prepared/encrypted the secrets for you, the encryption key that will be used in this chapter is generated as well. This encryption key is stored in the repository in the .werf_secret_key file; werf uses it automatically.

Caution! You MUST NOT store the key in the repository when working with real-life applications. We recommend keeping it in a safe place and passing via the WERF_SECRET_KEY environment variable. You can read more about using encryption keys in the werf documentation.

The application configuration contains data that should not be stored in unencrypted form in the repository (e.g., the database login and password). Thus, we won’t store the login and password in plain text in the configuration file (as we currently do) application.properties. Instead, we will store them encrypted in the .helm/secret-values.yaml file along with other confidential parameters:

app:
  secretEnvs:
    DB_HOST: 100002475edf3caf7f0ad16e82516825d644920931860dfd03d18a223ace3e904a8d
    DB_NAME: 1000cc9bc17cdf9be0d243a175e70c678551fabc2fc565400d4f1d073971d04c4476
    DB_USER: 1000b30937700b0ae942521863c68bf07838d69d21777e3969ed9dae11c80a25aec0
    DB_PASSWD: 1000f3946440168fedd538ad970295a07f1d879ff326cb9bc5dcdc37d3aded7d62a6
    MINIO_ROOT_USER: 10004f7c0096a31188fcf08d72caec935232eba574b5173fec7545cc4e79e46d2dbb
mysql:
  secretEnvs:
    MYSQL_ROOT_PASSWORD: 10002c1ab8d562a23214595282f55f8e0c84ee494acfe9a6b8b2d42f1e72d89c0325
minio:
  secretEnvs:
    MINIO_ROOT_PASSWORD: 10002c9d8394bab865f6836c0a8440a497242896a8890b96c9d006ce5a677ce7f4a0
app: secretEnvs: DB_HOST: 100002475edf3caf7f0ad16e82516825d644920931860dfd03d18a223ace3e904a8d DB_NAME: 1000cc9bc17cdf9be0d243a175e70c678551fabc2fc565400d4f1d073971d04c4476 DB_USER: 1000b30937700b0ae942521863c68bf07838d69d21777e3969ed9dae11c80a25aec0 DB_PASSWD: 1000f3946440168fedd538ad970295a07f1d879ff326cb9bc5dcdc37d3aded7d62a6 MINIO_ROOT_USER: 10004f7c0096a31188fcf08d72caec935232eba574b5173fec7545cc4e79e46d2dbb mysql: secretEnvs: MYSQL_ROOT_PASSWORD: 10002c1ab8d562a23214595282f55f8e0c84ee494acfe9a6b8b2d42f1e72d89c0325 minio: secretEnvs: MINIO_ROOT_PASSWORD: 10002c9d8394bab865f6836c0a8440a497242896a8890b96c9d006ce5a677ce7f4a0

Use the command below to decrypt the secrets stored in .helm/secret-values.yaml:

werf helm secret values decrypt .helm/secret-values.yaml

You should see the following output:

app:
  secretEnvs:
    DB_HOST: mysql
    DB_NAME: werf-guide-app
    DB_USER: root
    DB_PASSWD: password
    MINIO_ROOT_USER: minioadmin
mysql:
  secretEnvs:
    MYSQL_ROOT_PASSWORD: password
minio:
  secretEnvs:
    MINIO_ROOT_PASSWORD: minioadmin

Now, you need to pass the secrets contained in .helm/secret-values.yaml back to the application config. To do this, let’s first pass them to the Secret resource:

apiVersion: v1
kind: Secret
metadata:
  name: app-envs
type: Opaque
data:
  {{- range $key, $val := .Values.app.secretEnvs }}
  "{{ $key }}": "{{ $val | b64enc }}"
  {{- end }}
apiVersion: v1 kind: Secret metadata: name: app-envs type: Opaque data: {{- range $key, $val := .Values.app.secretEnvs }} "{{ $key }}": "{{ $val | b64enc }}" {{- end }}

… and then load this resource’s data as a set of environment variables by mounting it in containers:

...
containers:
  - name: backend
    image: {{ .Values.werf.image.backend }}
    command:
      - sh
      - -euc
      - |
        is_mysql_available() {
          tries=$1
          i=0
          while [ $i -lt $tries ]; do
            mysqladmin -h mysql -P 3306 -u root -p=password ping || return 1
            i=$((i+1))
            sleep 1
          done
        }
        # Waiting for `mysqladmin ping` to run 10 times in a row.
        until is_mysql_available 10; do
          sleep 1
        done
        is_minio_available() {
          tries=$1
          i=0
          while [ $i -lt $tries ]; do
            curl -sSL http://minio:9000/minio/health/live || return 1
            i=$((i+1))
            sleep 1
          done
        }
        # Waiting for MinIO to become available.
        until is_minio_available 10; do
          sleep 1
        done
        java -jar ./app.jar

    ports:
      - containerPort: 8080
    envFrom:
      - configMapRef:
          name: app-envs
      - secretRef:
          name: app-envs
... containers: - name: backend image: {{ .Values.werf.image.backend }} command: - sh - -euc - | is_mysql_available() { tries=$1 i=0 while [ $i -lt $tries ]; do mysqladmin -h mysql -P 3306 -u root -p=password ping || return 1 i=$((i+1)) sleep 1 done } # Waiting for `mysqladmin ping` to run 10 times in a row. until is_mysql_available 10; do sleep 1 done is_minio_available() { tries=$1 i=0 while [ $i -lt $tries ]; do curl -sSL http://minio:9000/minio/health/live || return 1 i=$((i+1)) sleep 1 done } # Waiting for MinIO to become available. until is_minio_available 10; do sleep 1 done java -jar ./app.jar ports: - containerPort: 8080 envFrom: - configMapRef: name: app-envs - secretRef: name: app-envs

You have to make similar changes to the rest of the .helm/templates files (we won’t delve into details here; you can take a look at their contents in the repository.)

You can also use Secrets to store and mount complete secret configuration files. This is similar to using ConfigMap to mount non-secret configuration files (as described above), except that the Secret contents must be stored encrypted in .helm/secret/... or .helm/secret-values.yaml. You can read more about this in the werf documentation.

Note: learn more about working with secrets in the werf documentation.

Checking whether the application runs as expected

Let’s make sure the configuration changes did not affect the application performance:

werf converge --repo <DOCKER HUB USERNAME>/werf-guide-app

You should see the following output:

┌ Concurrent builds plan (no more than 5 images at the same time)
│ Set #0:
│ - ⛵ image frontend
│ - ⛵ image backend
└ Concurrent builds plan (no more than 5 images at the same time)

┌ ⛵ image frontend
│ Use cache image for frontend/dockerfile
│      name: <DOCKER HUB USERNAME>/werf-guide-app:4d7fe10a14b3d39d37a747bf016e9e8557c5a6d7061cea9d57f2ffd0-1640809566489
│        id: 4325c3e47f17
│   created: 2022-10-29 23:26:06 +0000 UTC
│      size: 9.6 MiB
└ ⛵ image frontend (1.98 seconds)

┌ ⛵ image backend
│ Use cache image for backend/dockerfile
│      name: <DOCKER HUB USERNAME>/werf-guide-app:08454d39888855040def10d02d3687964e8484eca19b9208a10ab2de-1643016826637
│        id: 6eae976ee732
│   created: 2022-01-24 12:33:46 +0000 UTC
│      size: 243.9 MiB
└ ⛵ image backend (3.26 seconds)

┌ Waiting for release resources to become ready
│ ┌ deploy/werf-guide-app po/werf-guide-app-778cf48fb7-z8jqf container/setup-minio logs
│ │ curl: (7) Failed to connect to minio port 9000: Connection refused
│ │ curl: (7) Failed to connect to minio port 9000: Connection refused
│ └ deploy/werf-guide-app po/werf-guide-app-778cf48fb7-z8jqf container/setup-minio logs
│ 
│ ┌ Status progress
│ │ DEPLOYMENT                                                                                                  REPLICAS            AVAILABLE             UP-TO-DATE                           
│ │ werf-guide-app                                                                                              2/1                 1                     1                                    
│ │ │   POD                                      READY          RESTARTS            STATUS                      ---                                                                            
│ │ ├── guide-app-6c7cbc8b8b-pw7qf               2/2            2                   Running                     Waiting for: replicas 2->1                                                     
│ │ └── guide-app-778cf48fb7-z8jqf               0/2            0                   Init:0/1                    
│ │ STATEFULSET                                                                                                 REPLICAS            READY                 UP-TO-DATE                           
│ │ minio                                                                                                       1/1                 0                     1                                    
│ │ │   POD                                      READY          RESTARTS            STATUS                      ---                                                                            
│ │ └── 0                                        0/1            0                   ContainerCreating           Waiting for: ready 0->1                                                        
│ │ mysql                                                                                                       1/1                 1                     1                                    
│ └ Status progress
│ 
│ ┌ deploy/werf-guide-app po/werf-guide-app-778cf48fb7-z8jqf container/setup-minio logs
│ │ curl: (7) Failed to connect to minio port 9000: Connection refused
│ │ curl: (7) Failed to connect to minio port 9000: Connection refused
│ │ curl: (7) Failed to connect to minio port 9000: Connection refused
│ └ deploy/werf-guide-app po/werf-guide-app-778cf48fb7-z8jqf container/setup-minio logs
│ 
│ ┌ Status progress
│ │ DEPLOYMENT                                                                                                  REPLICAS            AVAILABLE             UP-TO-DATE                           
│ │ werf-guide-app                                                                                              2/1                 1                     1                                    
│ │ │   POD                                      READY          RESTARTS            STATUS                      ---                                                                            
│ │ ├── guide-app-6c7cbc8b8b-pw7qf               2/2            2                   Running                     Waiting for: replicas 2->1                                                     
│ │ └── guide-app-778cf48fb7-z8jqf               0/2            0                   Init:0/1                    
│ │ STATEFULSET                                                                                                 REPLICAS            READY                 UP-TO-DATE                           
│ │ minio                                                                                                       1/1                 1                     1                                    
│ │ │   POD                                      READY          RESTARTS            STATUS                                                                                                     
│ │ └── 0                                        1/1            0                   Running                     
│ │ mysql                                                                                                       1/1                 1                     1                                    
│ └ Status progress
│ 
│ ┌ deploy/werf-guide-app po/werf-guide-app-778cf48fb7-z8jqf container/setup-minio logs
│ │ Added `minio` successfully.
│ │ Bucket created successfully `minio/werf-guide-app`.
│ └ deploy/werf-guide-app po/werf-guide-app-778cf48fb7-z8jqf container/setup-minio logs
│ 
│ ┌ Status progress
│ │ DEPLOYMENT                                                                                                  REPLICAS            AVAILABLE             UP-TO-DATE                           
│ │ werf-guide-app                                                                                              2/1                 1                     1                                    
│ │ │   POD                                      READY          RESTARTS            STATUS                      ---                                                                            
│ │ ├── guide-app-6c7cbc8b8b-pw7qf               2/2            2                   Running                     Waiting for: replicas 2->1                                                     
│ │ └── guide-app-778cf48fb7-z8jqf               0/2            0                   PodInitializing             
│ │ STATEFULSET                                                                                                 REPLICAS            READY                 UP-TO-DATE                           
│ │ minio                                                                                                       1/1                 1                     1                                    
│ │ │   POD                                      READY          RESTARTS            STATUS                                                                                                     
│ │ └── 0                                        1/1            0                   Running                     
│ │ mysql                                                                                                       1/1                 1                     1                                    
│ └ Status progress
│ 
│ ┌ Status progress
│ │ DEPLOYMENT                                                                                                  REPLICAS            AVAILABLE             UP-TO-DATE                           
│ │ werf-guide-app                                                                                              2->1/1              1                     1                                    
│ │ │   POD                                      READY          RESTARTS            STATUS                                                                                                     
│ │ ├── guide-app-6c7cbc8b8b-pw7qf               2/2            2                   Running -> Terminating      
│ │ └── guide-app-778cf48fb7-z8jqf               2/2            0                   PodInitializing -> Running  
│ │ STATEFULSET                                                                                                 REPLICAS            READY                 UP-TO-DATE                           
│ │ minio                                                                                                       1/1                 1                     1                                    
│ │ │   POD                                      READY          RESTARTS            STATUS                                                                                                     
│ │ └── 0                                        1/1            0                   Running                     
│ │ mysql                                                                                                       1/1                 1                     1                                    
│ └ Status progress
└ Waiting for release resources to become ready (41.20 seconds)

Release "werf-guide-app" has been upgraded. Happy Helming!
NAME: werf-guide-app
LAST DEPLOYED: Mon Jan 24 12:36:55 2022
NAMESPACE: werf-guide-app
STATUS: deployed
REVISION: 52
TEST SUITE: None
Running time 47.57 seconds

Check if the application is available:

curl http://werf-guide-app.test/ping

You should see the following output:

pong

In this chapter, you learned how to securely store the confidential application parameters, minimize duplicate configuration, and turn application configs into templates (thus, no re-builds are necessary when changes are made).

prev
next