Openshift offers many possibilities to embed files in pods. Furthermore, there are many reasons to include files in pods. So, embedding configuration files is a powerful mechanism. In this way, unchangeable containers become populated with dynamic content. In brief, ConfigMaps or Secrets contain such files. During container startup the run time injects them into the container.

ConfigMaps to mount file into pods

The example ConfigMap contains a single file named kirk.pem. Here, it is an SSL certificate and encoded as multiline text in YAML format. A char sequence “|-” introduces multiline contents. Afterwards, following and indented lines define file content. As a result, we see a single file. But the map may contain a set of files.

ConfigMap Example

kind: ConfigMap
apiVersion: v1
metadata:
  name: es-certs-secret
  namespace: ${NAMESPACE}
data:
  kirk.pem: |-
    -----BEGIN CERTIFICATE-----
    MIIEdzCCA1+gAwIBAgIGAWLrc1O4MA0GCSqGSIb3DQEBCwUAMIGPMRMwEQYKCZIm
    iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ
    RXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290
    IENBMSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwHhcNMTgwNDIy
    MDM0MzQ3WhcNMjgwNDE5MDM0MzQ3WjBNMQswCQYDVQQGEwJkZTENMAsGA1UEBwwE
    dGVzdDEPMA0GA1UECgwGY2xpZW50MQ8wDQYDVQQLDAZjbGllbnQxDTALBgNVBAMM
    BGtpcmswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCwgBOoO88uMM8
    dREJsk58Yt4Jn0zwQ2wUThbvy3ICDiEWhiAhUbg6dTggpS5vWWJto9bvaaqgMVoh
    ElfYHdTDncX3UQNBEP8tqzHON6BFEFSGgJRGLd6f5dri6rK32nCotYS61CFXBFxf
    WumXjSukjyrcTsdkR3C5QDo2oN7F883MOQqRENPzAtZi9s3jNX48u+/e3yvJzXsB
    GS9Qmsye6C71enbIujM4CVwDT/7a5jHuaUp6OuNCFbdRPnu/wLYwOS2/yOtzAqk7
    /PFnPCe7YOa10ShnV/jx2sAHhp7ZQBJgFkkgnIERz9Ws74Au+EbptWnsWuB+LqRL
    x5G02IzpAgMBAAGjggEYMIIBFDCBvAYDVR0jBIG0MIGxgBSSNQzgDx4rRfZNOfN7
    X6LmEpdAc6GBlaSBkjCBjzETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUGCgmSJomT
    8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1wbGUgQ29tIEluYy4xITAfBgNV
    BAsMGEV4YW1wbGUgQ29tIEluYy4gUm9vdCBDQTEhMB8GA1UEAwwYRXhhbXBsZSBD
    b20gSW5jLiBSb290IENBggEBMB0GA1UdDgQWBBRsdhuHn3MGDvZxOe22+1wliCJB
    mDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSUBAf8EDDAKBggr
    BgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAkPrUTKKn+/6g0CjhTPBFeX8mKXhG
    zw5z9Oq+xnwefZwxV82E/tgFsPcwXcJIBg0f43BaVSygPiV7bXqWhxASwn73i24z
    lveIR4+z56bKIhP6c3twb8WWR9yDcLu2Iroin7dYEm3dfVUrhz/A90WHr6ddwmLL
    3gcFF2kBu3S3xqM5OmN/tqRXFmo+EvwrdJRiTh4Fsf0tX1ZT07rrGvBFYktK7Kma
    lqDl4UDCF1UWkiiFubc0Xw+DR6vNAa99E0oaphzvCmITU1wITNnYZTKzVzQ7vUCq
    kLmXOFLTcxTQpptxSo5xDD3aTpzWGCvjExCKpXQtsITUOYtZc02AGjjPOQ==
    -----END CERTIFICATE-----
Mounting files from ConfigMap is pretty simple. Line 19 defines a volume and references ConfigMap at line 21. Furthermore, section at line 11 volumeMounts references the volume. In consequence, a simple use case is to mount all files from config map into given mountPath. The example shows a more advanced use case which mounts single files into file system. This way allows mounting files beside existing files.
kind: StatefulSet
apiVersion: apps/v1
metadata:
   ...
spec:
    spec:
      containers:
        - name: elasticsearch
          image: "amazon/opendistro-for-elasticsearch"
          ...
          volumeMounts:
             - name: es-certs-volume
               mountPath: /usr/share/elasticsearch/config/kirk.pem
               subPath: kirk.pem
             - name: es-certs-volume
               mountPath: /usr/share/elasticsearch/config/kirk-key.pem
               subPath: kirk-key.pem
       ...
       volumes:
         - name: es-certs-volume
           configMap:
           name: es-certs-secret
The most simple use case mounts the ConfigMap to a mount point. In consequence, it mounts all file entries to specified mount path and overrides existing contents. That means to replace an existing folder by on empty one. In consequence, it removes any existing file. After that, the empty folder mounts new contents.

The above example is more advanced and combines existing files with files from ConfigMap.

References:

The principle of secure software development

Many applications are vulnerable to attacks. Application development is becoming increasingly complex. At the same time, security requirements are gaining in importance. In this article, I show the challenges and offer solutions. Focusing on the principle of secure...

New: OKD Docker Image is stuck – Operation not possible

Openshift and also OKD Docker image is stuck when loading. A severe bug in the CRI-O engine causes stuck the OKD Docker images in an invalid and unusable state. There are discussions about timeouts while loading the images from the docker registry or too long...

Windows Subsystem for Linux and Minikube

The Windows Subsystem for Linux is the seamless integration of Linux into Windows. Use Windows natively and quickly issue a Linux command. Apply a Linux command to the Windows file system without having to start a virtual machine. As a result, Linux is always...

New: Openshift OKD causes image layer not known problems

The POD fails to start, and referrers to the image layer not known. The "layer not known" issue may affect one or more cluster nodes. In effect, there is a corrupt docker image on the local disk cache. The layer not known problem still exists, even after a node or...

The Docker daemon configuration files

Where are the Docker daemon configuration files located? How to restart the Docker daemon after applying changes to the configuration? How to change and activate the Docker configuration? These are frequently asked questions. But changes to the Docker configuration...

Make it easy: Apache Spark, Data Frames and Regex Power

Regular Expressions are a powerful tool to split texts into fragments. Furthermore, Apache Spark is an analytics engine and capable of processing large amounts of data sets. The feature of naming capturing groups makes the usage of regular expressions more accessible....

Docker Content Trust

Docker Content Trust feature enables your environment to run only with signed images. In this way, Docker Content Trust ensures that the docker pulls only signed containers from the docker registry. Once enabled, Docker Content Trust is active for all docker pull...

Docker, networks, subnets and IP address pools

Docker uses default address pools to create subnets. For most use cases, the shipped defaults fit. But sometimes they cause conflicts with existing networks or subnets. Overlapping networks may conflict with existing systems. Or a large number of docker networks...

Docker networks and subnets

Docker uses default address pools to create subnets. For most use cases, the shipped docker subnet defaults fit. But sometimes the docker subnets cause conflicts with existing networks or subnets. Overlapping networks may conflict with existing systems. Or a large...

Software containerization with docker reviewed

Docker software containerization reviewed Putting Software into containers seems to be state of the art. But what are the benefits? Are there any drawbacks? Most people have heard about docker technology. And not less have used docker. But we are looking towards more...