🔐 Never Hardcode Config Again
API keys in code? Database passwords committed to Git? ConfigMaps and Secrets externalize all configuration.
ConfigMaps vs Secrets
📝 ConfigMaps
Non-sensitive configuration
- API endpoints
- Feature flags
- Environment settings
- Application config files
🔒 Secrets
Sensitive data (base64 encoded)
- Database passwords
- API keys
- TLS certificates
- OAuth tokens
Creating ConfigMaps
# configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: app-config data: API_URL: "https://api.example.com" LOG_LEVEL: "info" MAX_CONNECTIONS: "100" FEATURE_FLAG_NEW_UI: "true"
# Create from YAML kubectl apply -f configmap.yaml # Or create from command line kubectl create configmap app-config \ --from-literal=API_URL=https://api.example.com \ --from-literal=LOG_LEVEL=info # From file kubectl create configmap nginx-config \ --from-file=nginx.conf
Creating Secrets
# secret.yaml apiVersion: v1 kind: Secret metadata: name: app-secrets type: Opaque data: DB_PASSWORD: cGFzc3dvcmQxMjM= # base64 encoded API_KEY: YWJjZGVmZ2hpamtsbW5vcA==
# Create from command line kubectl create secret generic app-secrets \ --from-literal=DB_PASSWORD=password123 \ --from-literal=API_KEY=abcdefghijklmnop # Kubernetes automatically base64 encodes values
Using in Pods (Environment Variables)
apiVersion: v1
kind: Pod
metadata:
name: myapp
spec:
containers:
- name: app
image: myapp:latest
env:
# From ConfigMap
- name: API_URL
valueFrom:
configMapKeyRef:
name: app-config
key: API_URL
# From Secret
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: app-secrets
key: DB_PASSWORD
# Load all ConfigMap keys as env vars
envFrom:
- configMapRef:
name: app-config
- secretRef:
name: app-secrets
Using as Volume Mounts (Files)
apiVersion: v1
kind: Pod
metadata:
name: myapp
spec:
containers:
- name: app
image: myapp:latest
volumeMounts:
- name: config-volume
mountPath: /etc/config
- name: secret-volume
mountPath: /etc/secrets
readOnly: true
volumes:
- name: config-volume
configMap:
name: app-config
- name: secret-volume
secret:
secretName: app-secrets
# Files appear at:
# /etc/config/API_URL
# /etc/config/LOG_LEVEL
# /etc/secrets/DB_PASSWORD
# /etc/secrets/API_KEY
🔄 Update Configuration Live
# Edit ConfigMap kubectl edit configmap app-config # Or update from file kubectl apply -f configmap.yaml # Pods with mounted volumes see changes within ~60 seconds # Pods with env vars need restart to see changes kubectl rollout restart deployment/myapp
✅ Best Practices
- Never commit secrets to Git: Use sealed-secrets or external secret managers
- Namespace secrets: Each namespace gets its own secrets
- RBAC: Restrict who can read secrets
- Encryption at rest: Enable in Kubernetes for production
- External managers: Consider HashiCorp Vault, AWS Secrets Manager for production
🎯 Real-World Example
# Development ConfigMap kubectl create configmap app-config-dev \ --from-literal=API_URL=https://dev-api.example.com \ --from-literal=LOG_LEVEL=debug # Production ConfigMap kubectl create configmap app-config-prod \ --from-literal=API_URL=https://api.example.com \ --from-literal=LOG_LEVEL=error # Same app, different config per environment # Deploy uses app-config-dev or app-config-prod
“Removed all hardcoded config from images. Now same image runs in dev/staging/prod with different ConfigMaps. Changed API endpoint across 50 pods by editing one ConfigMap. No rebuild, no redeploy.”
📊 Benefits
0
Secrets in Git
1
Image, Many Envs
✓
Security