e48adbcb00
- Migrated from Python pre-commit to NodeJS-native solution - Reorganized documentation structure - Set up Husky + lint-staged for efficient pre-commit hooks - Fixed Dockerfile healthcheck issue - Added comprehensive documentation index
4.1 KiB
4.1 KiB
🎯 Template-Based Kubernetes Configuration
Overview
We've implemented a template-based approach using environment variables instead of manual base64 encoding for Kubernetes secrets. This is much more user-friendly and secure.
🆚 Before vs After Comparison
❌ Before (Manual Base64 Encoding)
Old approach required manual base64 encoding:
# k8s/couchdb-secret.yaml
apiVersion: v1
kind: Secret
data:
# User had to manually encode:
# echo -n "admin" | base64 -> YWRtaW4=
# echo -n "password" | base64 -> cGFzc3dvcmQ=
username: YWRtaW4=
password: cGFzc3dvcmQ=
Problems:
- 😣 Manual base64 encoding required
- 🔧 Error-prone (encoding mistakes)
- 📝 Hard to read/verify credentials
- 🔒 Credentials visible in YAML files
✅ After (Template-Based)
New approach uses templates with automatic substitution:
# k8s/couchdb-secret.yaml.template
apiVersion: v1
kind: Secret
metadata:
name: couchdb-secret
labels:
app: ${APP_NAME}
type: Opaque
stringData:
# Kubernetes automatically base64 encodes stringData
username: ${COUCHDB_USER}
password: ${COUCHDB_PASSWORD}
Benefits:
- ✅ No manual base64 encoding needed
- ✅ Environment variables from
.envfile - ✅ Human-readable configuration
- ✅ Automatic deployment script
- ✅ Customizable app names
🚀 How It Works
1. Configuration in .env
# .env (user-friendly configuration)
APP_NAME=my-rxminder
COUCHDB_USER=admin
COUCHDB_PASSWORD=super-secure-password-123
INGRESS_HOST=rxminder.mydomain.com
2. Template Substitution
# Automatic substitution with envsubst
envsubst < k8s/couchdb-secret.yaml.template
Result:
apiVersion: v1
kind: Secret
metadata:
name: couchdb-secret
labels:
app: my-rxminder
type: Opaque
stringData:
username: admin
password: super-secure-password-123
3. Kubernetes Processing
- Kubernetes automatically base64 encodes
stringDatafields - No manual encoding required
- More secure and reliable
🎛️ Deployment Options
Option 1: Automated Script (Recommended)
# Copy and configure
cp .env.example .env
nano .env
# Deploy everything
./scripts/k8s-deploy-template.sh deploy
Option 2: Manual Template Processing
# Set environment variables
export APP_NAME=my-rxminder
export COUCHDB_PASSWORD=secure-password
# Process templates
envsubst < k8s/couchdb-secret.yaml.template | kubectl apply -f -
envsubst < k8s/ingress.yaml.template | kubectl apply -f -
🔧 Template Files Created
k8s/couchdb-secret.yaml.template- Database credentialsk8s/ingress.yaml.template- Ingress with custom hostnamek8s/configmap.yaml.template- Application configurationk8s/frontend-deployment.yaml.template- Frontend deploymentscripts/k8s-deploy-template.sh- Automated deployment script
🛡️ Security Benefits
- No hardcoded credentials in version control
- Environment-specific configuration via
.envfiles - Automatic validation of required variables
- Kubernetes stringData (auto base64 encoding)
- Clear separation of config and code
📝 User Experience Improvements
| Aspect | Before | After |
|---|---|---|
| Setup Complexity | High (manual base64) | Low (edit .env) |
| Error Rate | High (encoding mistakes) | Low (plain text) |
| Readability | Poor (base64 strings) | Excellent (plain text) |
| Customization | Manual file editing | Environment variables |
| Deployment | Multi-step manual | Single command |
🎯 Result
The template-based approach makes RxMinder deployment:
- More user-friendly - No technical encoding required
- More secure - Credentials externalized to
.env - More maintainable - Clear separation of config and manifests
- More flexible - Easy customization via environment variables
This is a production-ready, enterprise-grade configuration management approach that follows Kubernetes best practices.