Kubernetes From Zero to Hero – Part 8: ConfigMaps and Secrets – Managing Application Configuration the Right Way
Manas Upadhyay
Recap: What We Learned Previously
In our previous blog, we:
Introduced Ingress and Ingress Controllers
Understood how Ingress routes traffic based on paths or hostnames
Deployed an Ingress Controller to expose multiple services under the same domain (e.g., /web, /api)
Built a clean routing setup for real-world apps
Now that your applications are exposed and accessible, let’s talk about something equally important:
How do you pass configuration or sensitive data to your applications securely and cleanly?
Welcome to the world of ConfigMaps and Secrets.
Why Do We Need ConfigMaps and Secrets?
Imagine you have:
A backend app that needs an ENV=production
A frontend that calls an API using a base URL
A database password that must not be hardcoded
Instead of baking values like these into the container image, Kubernetes allows you to:
Decouple configuration from code
Manage environment-specific variables separately
Keep sensitive data encrypted
What is a ConfigMap?
ConfigMap is a Kubernetes object used to store non-sensitive key-value pairs:
Environment variables
App settings
URLs, paths, feature flags
Sample ConfigMap YAML
apiVersion: v1
kind: ConfigMap
metadata:
name: my-app-config
data:
ENV: "production"
BASE_URL: "https://api.myapp.com"
Apply it:
kubectl apply -f configmap.yaml
Use ConfigMap in a Pod (via env)
env:
- name: ENV
valueFrom:
configMapKeyRef:
name: my-app-config
key: ENV
Or mount as a volume:
volumeMounts:
- name: config-volume
mountPath: /etc/config
volumes:
- name: config-volume
configMap:
name: my-app-config
What is a Secret?
Secret is like a ConfigMap, but for sensitive data:
API keys
Passwords
Tokens
Certificates
Kubernetes stores Secrets base64-encoded and can be encrypted at rest.
Sample Secret YAML
apiVersion: v1
kind: Secret
metadata:
name: db-secret
type: Opaque
data:
DB_USER: YWRtaW4=
DB_PASSWORD: c2VjcmV0MTIz
Use Secret in a Pod
env:
- name: DB_USER
valueFrom:
secretKeyRef:
name: db-secret
key: DB_USER
Or mount as a file:
volumeMounts:
- name: secret-volume
mountPath: /etc/secret
volumes:
- name: secret-volume
secret:
secretName: db-secret
Best Practices
| Practice | Why It Matters |
| Don’t commit Secrets to Git | Secrets are sensitive and should stay out |
| Use tools like SealedSecrets | Encrypt Secrets in CI/CD pipelines |
| Use kubectl edit secret carefully | Avoid exposing secrets in plain text |
| Use RBAC | Limit who can access/edit Secrets |
Quick Hands-On Example
Step 1: Create a ConfigMap & Secret
kubectl create configmap app-config --from-literal=APP_MODE=debug
kubectl create secret generic my-secret --from-literal=token=abc123
Step 2: Deploy Sample App
env:
- name: APP_MODE
valueFrom:
configMapKeyRef:
name: app-config
key: APP_MODE
- name: TOKEN
valueFrom:
secretKeyRef:
name: my-secret
key: token
Deploy and verify using:
kubectl exec -it <pod-name> -- printenv
Summary
| Component | Use For | Secure? |
| ConfigMap | Non-sensitive config | ❌ |
| Secret | Sensitive credentials | ✅ |
Kubernetes gives you flexibility to manage environment variables, secrets, and runtime configs across environments, with security and structure.
Coming Up Next
In the next blog, we will:
Dive into Helm – the Kubernetes package manager
Learn how to template, version, and deploy apps like pros
Explore real-world use cases with charts
Let Kubernetes start feeling like home with Helm
Subscribe to my newsletter
Read articles from Manas Upadhyay directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Manas Upadhyay
Manas Upadhyay
I am an experienced AWS Cloud and DevOps Architect with a strong background in designing, deploying, and managing cloud infrastructure using modern automation tools and cloud-native technologies.