Kubernetes From Zero to Hero – Part 8: ConfigMaps and Secrets – Managing Application Configuration the Right Way

Manas UpadhyayManas Upadhyay
3 min read

Recap: What We Learned Previously

In our previous blog, we:

  • Introduced Ingress and Ingress Controllers

  • Understood how Ingress routes traffic based on paths or hostnames

  • Deployed an Ingress Controller to expose multiple services under the same domain (e.g., /web, /api)

  • Built a clean routing setup for real-world apps

Now that your applications are exposed and accessible, let’s talk about something equally important:

How do you pass configuration or sensitive data to your applications securely and cleanly?

Welcome to the world of ConfigMaps and Secrets.


Why Do We Need ConfigMaps and Secrets?

Imagine you have:

  • A backend app that needs an ENV=production

  • A frontend that calls an API using a base URL

  • A database password that must not be hardcoded

Instead of baking values like these into the container image, Kubernetes allows you to:

  • Decouple configuration from code

  • Manage environment-specific variables separately

  • Keep sensitive data encrypted


What is a ConfigMap?

ConfigMap is a Kubernetes object used to store non-sensitive key-value pairs:

  • Environment variables

  • App settings

  • URLs, paths, feature flags

Sample ConfigMap YAML

apiVersion: v1
kind: ConfigMap
metadata:
  name: my-app-config
data:
  ENV: "production"
  BASE_URL: "https://api.myapp.com"

Apply it:

kubectl apply -f configmap.yaml

Use ConfigMap in a Pod (via env)

env:
  - name: ENV
    valueFrom:
      configMapKeyRef:
        name: my-app-config
        key: ENV

Or mount as a volume:

volumeMounts:
  - name: config-volume
    mountPath: /etc/config
volumes:
  - name: config-volume
    configMap:
      name: my-app-config

What is a Secret?

Secret is like a ConfigMap, but for sensitive data:

  • API keys

  • Passwords

  • Tokens

  • Certificates

Kubernetes stores Secrets base64-encoded and can be encrypted at rest.

Sample Secret YAML

apiVersion: v1
kind: Secret
metadata:
  name: db-secret
type: Opaque
data:
  DB_USER: YWRtaW4=
  DB_PASSWORD: c2VjcmV0MTIz

Use Secret in a Pod

env:
  - name: DB_USER
    valueFrom:
      secretKeyRef:
        name: db-secret
        key: DB_USER

Or mount as a file:

volumeMounts:
  - name: secret-volume
    mountPath: /etc/secret
volumes:
  - name: secret-volume
    secret:
      secretName: db-secret

Best Practices

PracticeWhy It Matters
Don’t commit Secrets to GitSecrets are sensitive and should stay out
Use tools like SealedSecretsEncrypt Secrets in CI/CD pipelines
Use kubectl edit secret carefullyAvoid exposing secrets in plain text
Use RBACLimit who can access/edit Secrets

Quick Hands-On Example

Step 1: Create a ConfigMap & Secret

kubectl create configmap app-config --from-literal=APP_MODE=debug
kubectl create secret generic my-secret --from-literal=token=abc123

Step 2: Deploy Sample App

env:
  - name: APP_MODE
    valueFrom:
      configMapKeyRef:
        name: app-config
        key: APP_MODE
  - name: TOKEN
    valueFrom:
      secretKeyRef:
        name: my-secret
        key: token

Deploy and verify using:

kubectl exec -it <pod-name> -- printenv

Summary

ComponentUse ForSecure?
ConfigMapNon-sensitive config
SecretSensitive credentials

Kubernetes gives you flexibility to manage environment variables, secrets, and runtime configs across environments, with security and structure.


Coming Up Next

In the next blog, we will:

  • Dive into Helm – the Kubernetes package manager

  • Learn how to template, version, and deploy apps like pros

  • Explore real-world use cases with charts

Let Kubernetes start feeling like home with Helm

0
Subscribe to my newsletter

Read articles from Manas Upadhyay directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Manas Upadhyay
Manas Upadhyay

I am an experienced AWS Cloud and DevOps Architect with a strong background in designing, deploying, and managing cloud infrastructure using modern automation tools and cloud-native technologies.