ConfigMaps & Secrets

Key Takeaways for AI & Readers

• Configuration Decoupling: Separate settings (ConfigMaps) and sensitive data (Secrets) from application code to maintain portability.
• Security Awareness: Secrets are only Base64 encoded by default; true security requires enabling "Encryption at Rest" in the Control Plane.
• Update Mechanisms: Changes to environment variables require a Pod restart, while changes to volume-mounted configs eventually propagate to the Pod's filesystem.

Decoupling configuration from application code is a key principle of Cloud Native development. You should never bake passwords or config files into your Docker image.

1. ConfigMap

ConfigMap (Yaml)

:

:

Pod Container

Running

# env

DB_HOST=db.prod.local

LOG_LEVEL=info

HOSTNAME=pod-x7z9

HOME=/root

_

Notice: When you change the ConfigMap, the Pod must often restart to pick up new Environment Variables.

ConfigMaps allow you to decouple configuration artifacts from image content to keep containerized applications portable.

apiVersion: v1
kind: ConfigMap
metadata:
  name: game-config
data:
  player_initial_lives: "3"
  ui_properties_file_name: "user-interface.properties"

2. Secret

Secrets are used to store small amounts of sensitive data such as passwords, OAuth tokens, and SSH keys.

• Encryption: Secrets are stored base64 encoded (not encrypted!) by default. You must enable Encryption at Rest in etcd for true security.
• Usage: Mounted as files or environment variables, similar to ConfigMaps.

Best Practices

• Immutable: Treat config as immutable. If config changes, redeploy the app.
• Updates (The Big Difference):
  • Environment Variables: If you change a ConfigMap, Pods using it as env vars will NOT update. You must restart the pod.
  • Volume Mounts: If you mount a ConfigMap as a volume, Kubernetes eventually updates the files inside the pod (within ~1 minute). If your app is programmed to watch for file changes, it can reload without a restart.