Nacos-Controller 2.0: Efficiently Manage Your K8s Configuration with Nacos

Limitations of Kubernetes Configuration Management

Currently, in Kubernetes clusters, configuration management is primarily implemented through ConfigMap and Secret. These two resources allow users to inject configuration information into Pods through environment variables or files. Despite Kubernetes providing these powerful tools, there are still some challenges in practical applications:

Lack of historical version management: ConfigMap and Secret in Kubernetes do not directly support historical version management; the old version's configuration will be overwritten after an update, and it cannot be directly restored to the previous version. If problems occur after a configuration update, it is impossible to quickly roll back to the previous version, which may lead to system instability or service interruptions, making it difficult for fault troubleshooting and compliance auditing.
Lack of dynamism: The native configuration management mechanism in Kubernetes does not support real-time push of configuration changes, which means the updated configuration does not take effect in the application immediately unless the Pod is restarted, resulting in slow system response and poor flexibility.
No gray release capability: The native configuration management mechanisms in Kubernetes (such as ConfigMap and Secret) do not directly support gray release. Configuration changes usually require manual updates and are immediately applied to all related Pods.
Security issues: Although Secrets can be used to store sensitive information, their security and access control still need to be enhanced.

Advantages of Nacos Configuration Management

Nacos (Dynamic Naming and Configuration Service) is a dynamic service discovery, configuration management, and service management platform. It is designed to help developers build cloud-native applications more easily, providing a set of simple and user-friendly features to simplify service discovery, configuration management, and service management in microservice architectures. Nacos provides many advanced management features in configuration management, effectively addressing the aforementioned issues:

● History version management: Nacos supports the management of historical versions of configurations, allowing you to easily view and restore to previous configuration versions. This makes rolling back configurations much simpler and more reliable.

● Unified configuration management: Nacos provides a centralized configuration management center that allows for unified management of configuration information across all environments, simplifying the configuration management process. Through an intuitive web interface, users can easily view, edit, and manage configurations.

● Dynamic configuration updates: Nacos supports real-time push of configuration changes, allowing new configurations to take effect without restarting Pods, greatly enhancing the system's flexibility and response speed.

● Gray release support: Nacos supports gray release functionality for configurations, allowing configuration changes to be pushed to specific service instances or environments. Using Nacos's gray release feature, new configurations can be tested on a subset of instances to ensure their stability before gradually rolling them out to all instances.

● Secure storage of sensitive information: Nacos provides a multi-layer security mechanism, including configuration encryption and secure transmission, to ensure the safety of sensitive information.

● Rich multi-language support: Nacos offers extensive multi-language support covering Java, Go, Python, etc. Regardless of the technology stack your microservice architecture is based on, as long as they can connect to Nacos, you can enjoy a consistent configuration management experience.

Recently, with the release of the Nacos 3.0 Beta version, the Nacos community released the Nacos-Controller 2.0 version, which helps synchronize K8s services to Nacos while also supporting bidirectional synchronization of K8s ConfigMap, Secret with Nacos configurations. Based on Nacos-Controller 2.0, Nacos can host K8s configurations with one click, empowering K8s configuration management. Next, let's see how to use Nacos to manage K8s configurations.

Using Nacos-Controller to Host K8s Configuration with One Click

Nacos Controller 2.0 supports bidirectional synchronization of Kubernetes cluster configurations and Nacos configurations, enabling the synchronization of ConfigMap and Secret from specific namespaces in the Kubernetes cluster to designated namespaces in Nacos. Users can achieve dynamic modifications and management of Kubernetes cluster configurations through Nacos. The mapping relationship between Nacos configurations and Kubernetes configurations is shown in the following table:

ConfigMap/Secret	Nacos Config
Namespace	User-specified namespace
Name	Group
Key	DataId
Value	Content

Currently, two main strategies for configuration synchronization are supported:

● Full synchronization: All ConfigMaps and Secrets in the specific namespace of the Kubernetes cluster are automatically synchronized to Nacos; the Nacos Controller will automatically synchronize all newly created ConfigMaps and Secrets.

● Partial synchronization: Only the user-specified ConfigMaps and Secrets are synchronized to Nacos.

Deploying Nacos Controller

Install Helm, refer to the documentation;
Install Nacos Controller to the corresponding Kubernetes cluster:

git clone https://github.com/nacos-group/nacos-controller.git
cd nacos-controller/charts/nacos-controller

export KUBECONFIG=/your-K8s-cluster/access-credentials/file-path
kubectl create ns nacos
helm install -n nacos nacos-controller .

Quick Start

You can quickly synchronize the configuration of the current namespace in the Kubernetes cluster to Nacos with the following command:

cd nacos-controller
chmod +x configQuicStart.sh 
    
./configQuicStart.sh <nacos-addr> <nacos-namespace-id>

In addition, you can refer to the instructions: customize the DynamicConfiguration YAML file as needed and deploy it to the K8s cluster.

Full Synchronization of K8s Cluster Namespace Configuration to Nacos

1. Write DynamicConfiguration YAML file:

apiVersion: nacos.io/v1
kind: DynamicConfiguration
metadata:
   name: dc-demo
spec:
   nacosServer:
      # endpoint: Nacos server address, mutually exclusive with serverAddr, with higher priority than serverAddr, choose one of endpoint or serverAddr
      endpoint: <your-nacos-server-endpoint>
      # serverAddr: Nacos address, choose one of endpoint or serverAddr
      serverAddr: <your-nacos-server-addr>
      # namespace: User-specified namespace
      namespace: <your-nacos-namespace-id>
      # authRef: Reference to the Secret that stores Nacos client authentication information, supports username/password and AK/SK; can be ignored if Nacos server authentication is not enabled
      authRef:
         apiVersion: v1
         kind: Secret
         name: nacos-auth
   strategy:
      # scope: Synchronization strategy, full indicates full synchronization, partial indicates partial synchronization
      scope: full
      # Whether to synchronize configuration deletion operations
      syncDeletion: true
      # conflictPolicy: Synchronization conflict policy, preferCluster indicates that in case of conflict during initial synchronization, Kubernetes cluster configuration takes precedence, preferServer indicates that Nacos configuration takes precedence
      conflictPolicy: preferCluster
---
apiVersion: v1
kind: Secret
metadata:
    name: nacos-auth
data:
    # Aliyun Mse Nacos uses AK SK for authentication
    accessKey: <base64 ak>
    secretKey: <base64 sk>
    # Open-source Nacos uses username and password for authentication
    username: <base64 your-nacos-username>
    password: <base64 your-nacos-password>

2. Execute the command to deploy DynamicConfiguration to the Kubernetes cluster namespace that needs full synchronization to achieve full configuration synchronization:

kubectl apply -f dc-demo.yaml -n <namespace>

Partial Synchronization of K8s Cluster Namespace Configuration to Nacos

1. Write the DynamicConfiguration YAML file. The difference from full synchronization mainly lies in the strategy part, and you need to specify the ConfigMap and Secret that need to be synchronized:

apiVersion: nacos.io/v1
kind: DynamicConfiguration
metadata:
   name: dc-demo
spec:
   nacosServer:
      # endpoint: Nacos server address, mutually exclusive with serverAddr, with higher priority than serverAddr; choose one of endpoint or serverAddr
      endpoint: <your-nacos-server-endpoint>
      # serverAddr: Nacos address, choose one of endpoint or serverAddr
      serverAddr: <your-nacos-server-addr>
      # namespace: User-specified namespace
      namespace: <your-nacos-namespace-id>
      # authRef: Reference to the Secret that stores Nacos client authentication information, supporting username/password and AK/SK; can be ignored if Nacos server authentication is not enabled
      authRef:
         apiVersion: v1
         kind: Secret
         name: nacos-auth
   strategy:
      # scope: Synchronization strategy; full indicates full synchronization, partial indicates partial synchronization
      scope: partial
      # Whether to synchronize configuration deletion operations
      syncDeletion: true
      # conflictPolicy: Synchronization conflict policy; preferCluster indicates that in case of conflict during initial synchronization, Kubernetes cluster configuration takes precedence; preferServer indicates that Nacos configuration takes precedence
      conflictPolicy: preferCluster
   # ConfigMap and Secrets to be synchronized
   objectRefs:
      - apiVersion: v1
        kind: ConfigMap
        name: nacos-config-cm
      - apiVersion: v1
        kind: Secret
        name: nacos-config-secret
---
apiVersion: v1
kind: Secret
metadata:
    name: nacos-auth
data:
    accessKey: <base64 ak>
    secretKey: <base64 sk>
    username: <base64 your-nacos-username>
    password: <base64 your-nacos-password>

2. Execute the command to deploy DynamicConfiguration to the Kubernetes cluster namespace that needs synchronization, achieving partial configuration synchronization:

kubectl apply -f dc-demo.yaml -n <namespace>

Through the above steps, the Nacos Controller will automatically achieve full or partial synchronization between K8s cluster configurations and Nacos configurations based on the DynamicConfiguration configuration information we provide. Let's take a look at the specific effects!

Effect Demonstration

Taking full synchronization as an example, after completing the deployment of Nacos-controller, we execute the following command to check the ConfigMap in the default namespace of the current K8s cluster:

% kubectl get configmap
NAME               DATA   AGE
kube-root-ca.crt   1      63m

It can be seen that currently, there is only one configuration "kube-root-ca.crt."

Write the DynamicConfiguration YAML file, choose full synchronization mode, and execute the command to deploy:

apiVersion: nacos.io/v1
kind: DynamicConfiguration
metadata:
    name: dc-demo
spec:
  nacosServer:
    endpoint: nacos-serverAddr
    serverAddr: nacos-serverAddr
    namespace: xxxxxxxxxxxxxxxxx #Choose the Nacos namespace to synchronize to
  strategy:
    scope: full
    syncDeletion: true
    conflictPolicy: preferCluster

kubectl apply -f dc-demo.yaml

Check the corresponding Nacos console:

It can be found that under the corresponding namespace, there is an additional Nacos configuration grouped as configmap.kube-root-ca.crt with dataId ca.crt, which corresponds to the K8s configuration that has been synchronized to Nacos.

At this moment, we create another ConfigMap in K8s using the kubectl command:

apiVersion: v1
kind: ConfigMap
metadata:
    name: testconfig
    namespace: default
data:
    test.properties: "Hello, World"

kubectl apply -f test.yaml

Check the Nacos console; you can find that there is also an additional corresponding Nacos configuration under the namespace, where the dataId corresponds to the Key in the ConfigMap, grouped by the Name of the ConfigMap:

Edit the corresponding configuration content in the Nacos console and publish:

View the corresponding ConfigMap content through kubectl:

kubectl describe configmap testconfig

Name:         testconfig
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
test.properties:
----
Hi, World


BinaryData
====

Events:  <none>

It can be seen that the corresponding configuration content has changed, and the changes to the configuration content in Nacos have been synchronized to the K8s cluster.

At the same time, through the historical version feature of Nacos, historical changes can be traced, allowing for a comparison of content differences between each version, and quick rollbacks when faults occur:

By hosting K8s cluster configurations in Nacos via Nacos-Controller, users can manage K8s configurations through the Nacos console in a visual manner, avoiding the black-screen operations done using kubectl. At the same time, Nacos allows for unified management of configurations across different environments (development, production, testing), and the historical version feature can assist users with auditing, tracing, and recovery. Currently, Nacos-Controller 2.0 has been released in sync with the Nacos 3.0-BETA version, come and experience it!

Accessing Nacos Advanced Configuration Management Capabilities

Nacos-Controller 2.0 supports hosting K8s cluster configurations in Nacos for bidirectional synchronization, providing K8s configurations with historical versions, visual operations, and centralized configuration management capabilities. If you wish to manage application configurations more efficiently and have the following higher requirements for configuration management:

● Dynamic configuration effectiveness: Configuration changes can take effect directly in the application without requiring a restart.

● Configuration gray release: When configuration updates go live, validate the gray release on a small number of nodes first, ensuring there is no risk before pushing to all nodes.

● Secure storage of sensitive configurations: My configurations store sensitive information such as keys, and it is essential to ensure this information does not leak.

● Configuration listening and querying: I want to intuitively understand which nodes are using this configuration.

In that case, we recommend using the second method: integrate the Nacos SDK into your application to easily enjoy the advanced configuration management capabilities offered by Nacos:

Configuration Gray Release

Nacos supports IP-based gray release:

Content received by the official nodes:

receive:Hi, World

Content received by the gray node with IP=192.168.255.254:

receive:Hi, World Gray

Aliyun Enterprise Edition Mse Nacos also provides stronger multi-version tag gray release capabilities, welcome to learn more.

Configuration Listening and Querying

You can easily see which clients are listening to the corresponding configuration in the Nacos console.

Secure Transmission and Storage of Sensitive Information

If sensitive information is stored or transmitted in plaintext, it may easily become a target for hackers, leading to data leakage or system misuse. Once this information is leaked, it could severely impact user privacy, corporate security, and system stability.

The Nacos configuration center supports configuration encryption and TLS transmission encryption, establishing a comprehensive zero-trust security system that can achieve end-to-end encryption for sensitive information stored in Nacos from storage to transmission, greatly enhancing security:

MSE Nacos takes a step further by collaborating with Aliyun Key Management Service (KMS) to support higher-level asymmetric encryption for configurations. To address data security risks, MSE Nacos can provide solutions for sensitive configurations that meet the data security requirements of national-level standards.

Application Access to Nacos SDK

Taking Java as an example, when users do not integrate with Nacos and retrieve K8s configuration changes directly through environment variables or files, they usually employ polling methods:

String ENV_VARIABLE_NAME = "YOUR_ENV_VARIABLE_NAME"; // Replace with your environment variable name
String lastValue = System.getenv(ENV_VARIABLE_NAME);
ScheduledExecutorService executorService = Executors.newScheduledThreadPool(1);

// Check the environment variable changes every 5 seconds
executorService.scheduleAtFixedRate(() -> {
    String currentValue = System.getenv(ENV_VARIABLE_NAME);
    if (currentValue != null && !currentValue.equals(lastValue)) {
        System.out.println("Environment variable " + ENV_VARIABLE_NAME + " has changed: from " + lastValue + " to " + currentValue);
        lastValue = currentValue;
    }
}, 0, 5, TimeUnit.SECONDS);

But by modifying just a few lines of code, you can integrate the Nacos Java SDK and enjoy the advanced configuration management features of Nacos:

String serverAddr = "{serverAddr}";
String dataId = "{dataId}";
String group = "{group}";
Properties properties = new Properties();
// Specify Nacos address
properties.put("serverAddr", serverAddr);
ConfigService configService = NacosFactory.createConfigService(properties);
// Query Nacos configuration
String content = configService.getConfig(dataId, group, 5000);
// Listen for Nacos configuration changes
configService.addListener(dataId, group, new Listener() {
    @Override
    public void receiveConfigInfo(String configInfo) {
        System.out.println("receive1:" + configInfo);
    }
    @Override
    public Executor getExecutor() {
        return null;
    }
});

In addition to Java, Nacos offers extensive multi-language support covering popular programming languages such as Go and Python, and the corresponding open-source community is also very active. Regardless of the programming language used in your application, you can easily integrate using a similar approach and enjoy the advanced configuration management capabilities of Nacos.

Conclusion

Whether utilizing Nacos-Controller for bidirectional synchronization of configurations or directly integrating the Nacos SDK in applications to gain more advanced configuration management features, both approaches significantly enhance the flexibility, security, and maintainability of configuration management. By using Nacos, you can better manage and optimize your application configurations, increasing system stability and reliability. In addition, Nacos-Controller 2.0 also supports synchronization between Nacos services and K8S Services. Recently, the Nacos 3.0-BETA version has been released, significantly enhancing security while adding new features such as distributed locks and fuzzy subscriptions. Everyone is welcome to experience it!

Community

Nacos-Controller 2.0: Efficiently Manage Your K8s Configuration with Nacos

Limitations of Kubernetes Configuration Management

Advantages of Nacos Configuration Management

Using Nacos-Controller to Host K8s Configuration with One Click

Deploying Nacos Controller

Quick Start

Full Synchronization of K8s Cluster Namespace Configuration to Nacos

Partial Synchronization of K8s Cluster Namespace Configuration to Nacos

Effect Demonstration

Accessing Nacos Advanced Configuration Management Capabilities

Configuration Gray Release

Configuration Listening and Querying

Secure Transmission and Storage of Sensitive Information

Application Access to Nacos SDK

Conclusion

Related Links

Read previous post:

Read next post:

Alibaba Cloud Native Community

You may also like

Comments

Alibaba Cloud Native Community

Related Products

Cloud-Native Applications Management Solution

Managed Service for Prometheus

Container Service for Kubernetes

ACK One