🏷️ Use ConfigMaps and Secrets to configure applications#
ConfigMaps and Secrets
ConfigMaps and Secrets are Kubernetes objects used to manage configuration data and sensitive information separately from application code, enhancing portability, security, and flexibility. ConfigMaps store non-sensitive data like environment variables, configuration files, or feature flags in plain text, while Secrets store sensitive data such as passwords, API keys, or TLS certificates in base64-encoded format to provide a basic level of obfuscation.
ConfigMapsare designed for non-sensitive configuration data, allowing applications to be decoupled from their code and easily adapted across different environments like development, staging, and production. They can be injected into pods as environment variables or mounted as volumes, and are created usingkubectl create configmapor a YAML manifest.Secretsare specifically intended for storing sensitive information, such as database credentials, OAuth tokens, or private keys, and are base64-encoded by default to prevent plain-text exposure. Although they are not encrypted at rest by default in etcd, they support tighter access controls and are used similarly to ConfigMaps by being injected into pods via environment variables or mounted files. Thekubectl create secretcommand can be used to create Secrets from literals or files.
Both objects share similarities, including a 1MB size limit, storage in etcd, and the ability to be used with environment variables or mounted volumes, but their primary distinction lies in the sensitivity of the data they handle.
Create configmap#
Create and populate a configmap with variables.
ᐅ kb create configmap guisam-cm --dry-run=client -o yaml > guisam-cm.yaml
ᐅ cat <<EOF >> guisam-cm.yaml
data:
param.size: "100"
param.model: the best one
param.text: |
first: line
second: line
EOF
ᐅ kb apply -f gisam-cm.yaml
Use configmap as variable#
Create a deployemnt and use one configmap key…
ᐅ kb create deploy guisamweb \
--dry-run=client --image=nginx:alpine \
--replicas=2 --port=80 \
-o yaml > guisamweb.yaml
ᐅ diff -u guisamweb.yaml{.before,}
--- guisamweb.yaml.before 2025-10-09 19:33:02.363674520 +0200
+++ guisamweb.yaml 2025-10-09 19:38:33.561210622 +0200
@@ -21,4 +21,10 @@
ports:
- containerPort: 80
resources: {}
+ env:
+ - name: MYSIZE
+ valueFrom:
+ configMapKeyRef:
+ name: guisam-cm
+ key: param.size
status: {}
ᐅ kb exec -it guisamweb-598598b5fd-2nxx6 -- sh -c 'echo "$MYSIZE"'
100
ᐅ diff -u guisamweb.yaml{.before,}
--- guisamweb.yaml.before 2025-10-09 19:33:02.363674520 +0200
+++ guisamweb.yaml 2025-10-09 19:45:46.310521168 +0200
@@ -21,4 +21,7 @@
ports:
- containerPort: 80
resources: {}
+ envFrom:
+ - configMapRef:
+ name: guisam-cm
status: {}
ᐅ kb exec -it deploy/guisamweb -- sh -c "awk '/line|param/' <(env)"
param.size=100
param.model=the best one
param.text=first: line
second: line
Use configmap as volume#
ᐅ diff -u guisamweb.yaml{.before,}
--- guisamweb.yaml.before 2025-10-09 19:33:02.363674520 +0200
+++ guisamweb.yaml 2025-10-09 20:08:25.762699120 +0200
@@ -21,4 +21,11 @@
ports:
- containerPort: 80
resources: {}
+ volumeMounts:
+ - name: param-vol
+ mountPath: /etc/params
+ volumes:
+ - name: param-vol
+ configMap:
+ name: guisam-cm
status: {}
ᐅ kb exec -it deploy/guisamweb -- sh -c "ls -tr1 /etc/params/;cat /etc/params/param.*"
param.text
param.size
param.model
the best one100first: line
second: line