8th Week :- Secure and Configure Your Kubernetes Apps Using Secrets & ConfigMaps

π¦ Secrets and ConfigMaps in Kubernetes: Complete Guide with YAML & Deployment
Kubernetes provides powerful tools to manage configuration and sensitive data separately from application code. Two of the most important ones are:
ConfigMaps β For non-sensitive, plain-text configuration data.
Secrets β For sensitive data like passwords, API keys, or certificates.
In this blog, weβll explore what they are, how they work, when to use them, and how to apply them in real-world scenarios using nginx
in a deployment.
π Why Use ConfigMaps and Secrets?
β Problem:
Hardcoding configuration or sensitive credentials (like passwords or API keys) directly into application code or YAML files is insecure and rigid. It makes your applications harder to update and vulnerable to leaks.
β Solution:
Use ConfigMaps for environment-specific or adjustable non-sensitive data.
Use Secrets to securely store sensitive data.
π What is a ConfigMap?
A ConfigMap is a Kubernetes object used to inject non-sensitive configuration data into pods.
β Use Cases:
App settings
External URLs
Feature flags
Default ports, paths, etc.
π§ How it Works:
Can be mounted as files or used as environment variables.
Automatically injected into containers without changing your application code.
π Example: ConfigMap YAML
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-config
data:
site_name: "My Nginx Site"
default_port: "80"
π What is a Secret?
A Secret is like a ConfigMap but is meant for sensitive data, and the values must be base64-encoded.
β Use Cases:
Database passwords
API tokens
TLS certificates
π Why base64?
Kubernetes expects the values in a Secret to be encoded using Base64 for safe storage and transport.
π§ͺ Example: Base64 Encoding
If you want to store this credential in a Secret:
username: admin
password: Pass1234
Encode them using terminal:
echo -n "admin" | base64 # YWRtaW4=
echo -n "Pass1234" | base64 # UGFzczEyMzQ=
π Example: Secret YAML
apiVersion: v1
kind: Secret
metadata:
name: nginx-secret
type: Opaque
data:
username: YWRtaW4=
password: UGFzczEyMzQ=
type: Opaque
is for generic secrets like passwords and tokens.
π Deployment YAML Using ConfigMap and Secret
Letβs now deploy an nginx
pod that uses both our ConfigMap and Secret via environment variables.
π¦ Deployment YAML
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 1
selector:
matchLabels:
app: nginx-app
template:
metadata:
labels:
app: nginx-app
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
env:
- name: SITE_NAME
valueFrom:
configMapKeyRef:
name: nginx-config
key: site_name
- name: DEFAULT_PORT
valueFrom:
configMapKeyRef:
name: nginx-config
key: default_port
- name: ADMIN_USERNAME
valueFrom:
secretKeyRef:
name: nginx-secret
key: username
- name: ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: nginx-secret
key: password
π How to Apply Everything
Save your YAMLs:
configmap.yaml
secret.yaml
deployment.yaml
Apply using kubectl:
kubectl apply -f configmap.yaml
kubectl apply -f secret.yaml
kubectl apply -f deployment.yaml
- Verify:
kubectl get configmap
kubectl get secret
kubectl get deployment
kubectl get pods
- Check env variables in container:
kubectl exec -it <nginx-pod-name> -- env
π Summary Table
Feature | ConfigMap | Secret |
Purpose | Store non-sensitive config | Store sensitive data |
Encoding | Plaintext | Base64 |
Use in Pod | Env vars, volumes | Env vars, volumes |
CLI Command | kubectl create configmap | kubectl create secret generic |
Mounted as | File or env | File or env |
π Conclusion
Using ConfigMaps and Secrets improves your Kubernetes application's security, flexibility, and separation of concerns. They are essential components in building production-grade cloud-native applications
Subscribe to my newsletter
Read articles from Lav kushwaha directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
