patternyamlkubernetesModeratepending
Kubernetes ConfigMap and Secret management
Viewed 0 times
configmapsecretenvironment variablesvolume mountconfiguration
Problem
Need to manage application configuration and secrets in Kubernetes without hardcoding values in container images.
Solution
ConfigMaps for config, Secrets for sensitive data:
Best practices:
# ConfigMap: non-sensitive configuration
apiVersion: v1
kind: ConfigMap
metadata:
name: app-config
data:
LOG_LEVEL: "info"
API_PORT: "3000"
config.yaml: |
database:
pool_size: 10
timeout: 30s
---
# Secret: sensitive data (base64 encoded)
apiVersion: v1
kind: Secret
metadata:
name: app-secrets
type: Opaque
data:
DATABASE_URL: cG9zdGdyZXM6Ly91c2VyOnBhc3NAZGIvYXBw # base64
API_KEY: c2VjcmV0LWtleS0xMjM=
---
# Using in a Pod
apiVersion: v1
kind: Pod
spec:
containers:
- name: app
image: myapp:1.0
# Individual env vars
env:
- name: LOG_LEVEL
valueFrom:
configMapKeyRef:
name: app-config
key: LOG_LEVEL
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: app-secrets
key: DATABASE_URL
# All keys as env vars
envFrom:
- configMapRef:
name: app-config
- secretRef:
name: app-secrets
# Mount as files
volumeMounts:
- name: config
mountPath: /etc/app
readOnly: true
volumes:
- name: config
configMap:
name: app-configBest practices:
- Secrets are base64-encoded, NOT encrypted (use Sealed Secrets or external vault)
- ConfigMaps trigger pod restart on change (with proper setup)
- Use
kubectl create secret genericto avoid manual base64 encoding
Why
ConfigMaps and Secrets decouple configuration from container images, enabling the same image to run in different environments with different settings.
Gotchas
- Secrets are only base64-encoded, not encrypted at rest by default
- ConfigMap/Secret updates don't auto-restart pods - use a rolling update strategy
- Max size: 1MB per ConfigMap/Secret
Context
Kubernetes application configuration management
Revisions (0)
No revisions yet.