From Settings to Startup: Managing Configuration and Initialization in Kubernetes
Use Cases and Required Environment
We are going to build a simple application that signs messages using HMAC. HMAC stands for Hash-based Message Authentication Code. It’s a way to verify that a message hasn’t been tampered with and that it came from someone who knows a shared secret key.
It works by:
- Taking your message (for example, "hello"),
- Mixing it with a secret key,
- Running it through a hash function like SHA-256,
- Producing a signature (a short, fixed-length code).
When someone else receives the message and signature, they can recompute the HMAC with the same secret key. If their result matches yours, they know the message is authentic and hasn’t been altered. This can be useful for several use cases, such as:
- API authentication (AWS Signature v4 uses HMAC to sign requests)
- Signed URLs (like pre-signed S3 URLs)
- Internal microservice communication when messages need to be verified and trusted
- And more.
Before starting, let's remove any previous resource we might have created in our cluster:
# Delete all kubernetes resources created in the cluster
kubectl delete all --all
kubectl delete all --all -n stateless-flask
kubectl delete all --all -n stateful-flask
kubectl delete all --all -n postgres
# Delete all helm releases
helm ls --all --short | xargs -L1 helm delete
Run the following command to create the project directories, the virtual environment, and the requirements file:
cd $HOME
mkdir -p hmac
mkdir -p hmac/app
mkdir -p hmac/kubernetes
cd hmac
# Create a virtual environment using Virtualenvwrapper:
mkvirtualenv hmac
# Prepare the requirements file:
cat < hmac/app/requirements.txt
Flask==3.0.0
EOF
Create the Flask application code:
cat <<EOF > app/app.py
from flask import Flask, request, abort, send_file
import os, hmac, hashlib, base64
app = Flask(__name__)
# Hash algorithm to use, configurable via ConfigMap (default = sha256)
ALGO = os.environ.get("SIGNING_ALGO", "sha256")
# Secret key used to sign messages (loaded from Kubernetes Secret)
KEY = os.environ["SIGNING_KEY"].encode()
@app.get("/")
def home():
# Serve a static HTML page created by the init container or ConfigMap
return send_file("/data/index.html")
@app.get("/sign")
def sign():
# Read message from query string, e.g., /sign?msg=hello
msg = request.args.get("msg")
if not msg:
abort(400, "missing ?msg=")
# Pick the hash function dynamically (sha256, sha1, etc.)
digestmod = getattr(hashlib, ALGO, None)
if not digestmod:
abort(400, f"unsupported algo: {ALGO}")
# Compute HMAC: combine secret key + message using the chosen hash
sig = hmac.new(KEY, msg.encode(), digestmod).digest()
# Return signature in URL-safe base64 format (no padding)
return base64Cloud-Native Microservices With Kubernetes - 2nd Edition
A Comprehensive Guide to Building, Scaling, Deploying, Observing, and Managing Highly-Available Microservices in KubernetesEnroll now to unlock all content and receive all future updates for free.