8th Week :- Secure and Configure Your Kubernetes Apps Using Secrets & ConfigMaps

Lav kushwahaLav kushwaha
3 min read

πŸ“¦ Secrets and ConfigMaps in Kubernetes: Complete Guide with YAML & Deployment

Kubernetes provides powerful tools to manage configuration and sensitive data separately from application code. Two of the most important ones are:

  • ConfigMaps – For non-sensitive, plain-text configuration data.

  • Secrets – For sensitive data like passwords, API keys, or certificates.

In this blog, we’ll explore what they are, how they work, when to use them, and how to apply them in real-world scenarios using nginx in a deployment.


πŸ›  Why Use ConfigMaps and Secrets?

❓ Problem:

Hardcoding configuration or sensitive credentials (like passwords or API keys) directly into application code or YAML files is insecure and rigid. It makes your applications harder to update and vulnerable to leaks.

βœ… Solution:

  • Use ConfigMaps for environment-specific or adjustable non-sensitive data.

  • Use Secrets to securely store sensitive data.


πŸ“„ What is a ConfigMap?

A ConfigMap is a Kubernetes object used to inject non-sensitive configuration data into pods.

βœ… Use Cases:

  • App settings

  • External URLs

  • Feature flags

  • Default ports, paths, etc.

πŸ”§ How it Works:

  • Can be mounted as files or used as environment variables.

  • Automatically injected into containers without changing your application code.


πŸ“˜ Example: ConfigMap YAML

apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-config
data:
  site_name: "My Nginx Site"
  default_port: "80"

πŸ”’ What is a Secret?

A Secret is like a ConfigMap but is meant for sensitive data, and the values must be base64-encoded.

βœ… Use Cases:

  • Database passwords

  • API tokens

  • TLS certificates

πŸ” Why base64?

Kubernetes expects the values in a Secret to be encoded using Base64 for safe storage and transport.


πŸ§ͺ Example: Base64 Encoding

If you want to store this credential in a Secret:

username: admin
password: Pass1234

Encode them using terminal:

echo -n "admin" | base64       # YWRtaW4=
echo -n "Pass1234" | base64    # UGFzczEyMzQ=

πŸ” Example: Secret YAML

apiVersion: v1
kind: Secret
metadata:
  name: nginx-secret
type: Opaque
data:
  username: YWRtaW4=
  password: UGFzczEyMzQ=

type: Opaque is for generic secrets like passwords and tokens.


πŸš€ Deployment YAML Using ConfigMap and Secret

Let’s now deploy an nginx pod that uses both our ConfigMap and Secret via environment variables.

πŸ“¦ Deployment YAML

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx-app
  template:
    metadata:
      labels:
        app: nginx-app
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80
        env:
        - name: SITE_NAME
          valueFrom:
            configMapKeyRef:
              name: nginx-config
              key: site_name
        - name: DEFAULT_PORT
          valueFrom:
            configMapKeyRef:
              name: nginx-config
              key: default_port
        - name: ADMIN_USERNAME
          valueFrom:
            secretKeyRef:
              name: nginx-secret
              key: username
        - name: ADMIN_PASSWORD
          valueFrom:
            secretKeyRef:
              name: nginx-secret
              key: password

πŸ“‚ How to Apply Everything

  1. Save your YAMLs:

    • configmap.yaml

    • secret.yaml

    • deployment.yaml

  2. Apply using kubectl:

kubectl apply -f configmap.yaml
kubectl apply -f secret.yaml
kubectl apply -f deployment.yaml
  1. Verify:
kubectl get configmap
kubectl get secret
kubectl get deployment
kubectl get pods
  1. Check env variables in container:
kubectl exec -it <nginx-pod-name> -- env

πŸ“Š Summary Table

FeatureConfigMapSecret
PurposeStore non-sensitive configStore sensitive data
EncodingPlaintextBase64
Use in PodEnv vars, volumesEnv vars, volumes
CLI Commandkubectl create configmapkubectl create secret generic
Mounted asFile or envFile or env

πŸ”š Conclusion

Using ConfigMaps and Secrets improves your Kubernetes application's security, flexibility, and separation of concerns. They are essential components in building production-grade cloud-native applications

0
Subscribe to my newsletter

Read articles from Lav kushwaha directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Lav kushwaha
Lav kushwaha