Skip to content
BankyBluePrints.com

ConfigMaps and Secrets

ConfigMaps and Secrets

Section titled “ConfigMaps and Secrets”

Hard-coding configuration in container images makes them environment-specific and forces rebuilds for config changes. ConfigMaps and Secrets externalise this configuration.

ConfigMaps

Section titled “ConfigMaps”

ConfigMaps hold non-sensitive key-value pairs.

Creating a ConfigMap

Section titled “Creating a ConfigMap”

From literals:

Terminal window
kubectl create configmap app-config \
  --from-literal=LOG_LEVEL=info \
  --from-literal=MAX_CONNECTIONS=100

From a file:

Terminal window
kubectl create configmap app-config --from-file=config.properties

From YAML:

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  LOG_LEVEL: "info"
  MAX_CONNECTIONS: "100"
  APP_CONFIG: |
    key1=value1
    key2=value2

Using ConfigMaps in Pods

Section titled “Using ConfigMaps in Pods”

As environment variables:

env:
  - name: LOG_LEVEL
    valueFrom:
      configMapKeyRef:
        name: app-config
        key: LOG_LEVEL


# Or inject all keys at once:
envFrom:
  - configMapRef:
      name: app-config

As a volume (file mount):

volumes:
  - name: config-volume
    configMap:
      name: app-config


containers:
  - name: my-app
    volumeMounts:
      - name: config-volume
        mountPath: /etc/config

Each key becomes a file at /etc/config/<key>.

Secrets

Section titled “Secrets”

Secrets hold sensitive data — passwords, API keys, tokens. Values are base64-encoded (not encrypted by default in etcd without additional setup).

Creating a Secret

Section titled “Creating a Secret”
Terminal window
kubectl create secret generic db-credentials \
  --from-literal=username=admin \
  --from-literal=password=s3cur3p@ss

From YAML (values must be base64-encoded):

Terminal window
echo -n 'admin' | base64     # YWRtaW4=
echo -n 's3cur3p@ss' | base64
apiVersion: v1
kind: Secret
metadata:
  name: db-credentials
type: Opaque
data:
  username: YWRtaW4=
  password: czNjdXIzcEBzcw==

Using Secrets in Pods

Section titled “Using Secrets in Pods”
env:
  - name: DB_USERNAME
    valueFrom:
      secretKeyRef:
        name: db-credentials
        key: username
  - name: DB_PASSWORD
    valueFrom:
      secretKeyRef:
        name: db-credentials
        key: password

As a volume:

volumes:
  - name: secret-volume
    secret:
      secretName: db-credentials


volumeMounts:
  - name: secret-volume
    mountPath: /etc/secrets
    readOnly: true

Secret Types

Section titled “Secret Types”
TypeUse
OpaqueArbitrary user-defined data (most common)
kubernetes.io/dockerconfigjsonDocker registry credentials
kubernetes.io/tlsTLS certificate and key
kubernetes.io/service-account-tokenService account tokens

Common Commands

Section titled “Common Commands”
Terminal window
kubectl get configmaps
kubectl describe configmap app-config
kubectl get secret db-credentials -o yaml


# Decode a secret value
kubectl get secret db-credentials -o jsonpath='{.data.password}' | base64 --decode

Important Notes

Section titled “Important Notes”
  • Secrets are base64-encoded, not encrypted. Use tools like Sealed Secrets, Vault, or External Secrets Operator for proper secret management at scale.
  • When a ConfigMap or Secret is updated, pods using env variables are not automatically restarted. Pods using volume mounts get updates eventually (kubelet sync period).
  • Annotate deployments to force restarts on config change: kubectl rollout restart deployment/my-app.