🔐 Never Hardcode Config in Container Images
Environment variables are okay. ConfigMap and Secrets are better. Separate config from code. Change without rebuild.
📝 ConfigMap
# configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: app-config
data:
database.host: postgres-service
database.port: "5432"
app.properties: |
app.name=myapp
app.environment=production
log.level=info
# Use as environment variables
apiVersion: v1
kind: Pod
spec:
containers:
- name: myapp
env:
- name: DB_HOST
valueFrom:
configMapKeyRef:
name: app-config
key: database.host
🔒 Secrets
# Create secret
kubectl create secret generic db-secret \
--from-literal=username=postgres \
--from-literal=password=supersecret
# secret.yaml (base64 encoded)
apiVersion: v1
kind: Secret
metadata:
name: db-secret
type: Opaque
data:
username: cG9zdGdyZXM= # echo -n 'postgres' | base64
password: c3VwZXJzZWNyZXQ= # echo -n 'supersecret' | base64
# Use in pod
spec:
containers:
- name: myapp
env:
- name: DB_USER
valueFrom:
secretKeyRef:
name: db-secret
key: username
💡 Best Practices
- Never commit secrets to Git
- Use external secret management (Vault, SealedSecrets)
- Mount ConfigMap as volume for config files
- Secrets are base64 encoded, not encrypted (use encryption at rest)
“Changed database password. Updated secret, restarted pods. No image rebuild. ConfigMap and Secrets are essential for configuration management.”
