ConfigMaps and Secrets: Managing Application Configurations

When running applications in Kubernetes, configuration management is a critical component. Instead of hardcoding configuration details or sensitive information (like passwords and API keys) into your containers, Kubernetes provides two key objects: ConfigMaps and Secrets. These objects allow you to externalize configuration and sensitive data from your application code, offering flexibility, scalability, and security.

In this article, we'll explore ConfigMaps for handling non-sensitive data and Secrets for managing sensitive information, and how both of these can be used effectively to manage application configurations.

What is a ConfigMap?

ConfigMaps are Kubernetes objects used to store non-sensitive data in the form of key-value pairs. They allow developers to separate configuration details from container images, which makes it easier to manage and modify configuration across different environments without changing the application code.

Common Uses for ConfigMaps

• Environment variables (e.g., database URLs, app modes like development or production)
• Command-line arguments for applications
• Configuration files (e.g., JSON, XML, INI)
• Shell scripts

By externalizing configuration data, you can reuse container images across environments (development, staging, production) while modifying only the external configurations stored in ConfigMaps.

Creating a ConfigMap

You can create a ConfigMap from the command line or define it in a YAML file. Here’s an example of a ConfigMap YAML file:

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  # Key-value pairs
  APP_MODE: "production"
  LOG_LEVEL: "info"

  # Storing an entire configuration file
  config.json: |
    {
      "setting1": "value1",
      "setting2": "value2"
    }
        

This ConfigMap defines key-value pairs for application mode and log level, along with a sample config.json file.

To apply this ConfigMap, run:

kubectl apply -f configmap.yaml        

Using ConfigMaps in a Pod

ConfigMaps can be injected into Pods in multiple ways, making them highly flexible for managing configuration:

1. As Environment Variables You can inject key-value pairs from a ConfigMap directly into the environment variables of a container:

env:
- name: APP_MODE
  valueFrom:
    configMapKeyRef:
      name: app-config
      key: APP_MODE
        

2. As VolumesYou can mount ConfigMaps as files inside a container. This is useful when you want to manage configuration files externally and make them available to your application as files.

volumes:
  - name: config-volume
    configMap:
      name: app-config
containers:
  - name: app-container
    volumeMounts:
      - mountPath: "/etc/config"
        name: config-volume
        

In this example, the config.json file will be available to the application at /etc/config/config.json.

What is a Secret?

Secrets are similar to ConfigMaps, but they are specifically designed to store sensitive information, such as passwords, API tokens, SSH keys, and certificates. The primary difference between ConfigMaps and Secrets is that Secrets are base64-encoded and can be encrypted, offering an additional layer of security.

Common Uses for Secrets

• Storing credentials (database passwords, API keys)
• TLS certificates
• Sensitive configuration files

By externalizing sensitive data from your container images, you reduce the risk of accidentally exposing this data in source control or container registries.

Creating a Secret

You can create Secrets from the command line by encoding values in base64 or defining them in a YAML file. Here’s an example of a Secret YAML definition:

apiVersion: v1
kind: Secret
metadata:
  name: app-secret
data:
  password: bXlwYXNzd29yZA==  # "mypassword" encoded in base64
  api-key: YXBpLWNvbmZpZy1rZXk=  # "api-config-key" encoded in base64
        

To apply this Secret, run:

kubectl apply -f secret.yaml
        

To manually encode your sensitive values, use the base64 command:

echo -n 'mypassword' | base64
        

Using Secrets in a Pod

Like ConfigMaps, Secrets can also be injected into Pods in different ways:

1. As Environment Variables You can reference a Secret in the environment variables of your container. Kubernetes will automatically decode the base64-encoded values when injecting them:

env:
- name: PASSWORD
  valueFrom:
    secretKeyRef:
      name: app-secret
      key: password
        

2. As VolumesYou can also mount Secrets as files in your container. This is useful for sensitive configuration files or certificates.

volumes:
  - name: secret-volume
    secret:
      secretName: app-secret
containers:
  - name: app-container
    volumeMounts:
      - mountPath: "/etc/secret"
        name: secret-volume
        

In this case, the Secret will be available as files under /etc/secret, with each key in the Secret represented as a file.

Best Practices for Managing Secrets Securely

When managing sensitive data in Kubernetes, it's essential to follow security best practices to minimize risks:

1. Use Role-Based Access Control (RBAC): Ensure that only authorized users and service accounts can access Secrets by implementing proper RBAC policies.
2. Enable Encryption at Rest: Kubernetes stores Secrets in etcd, its distributed key-value store. Make sure that etcd is configured to encrypt Secrets at rest to prevent unauthorized access to your sensitive data.
3. External Secret Management: For even greater security, you can integrate Kubernetes with external secret management systems like HashiCorp Vault, AWS Secrets Manager, or Google Cloud's Secret Manager. These systems allow for more sophisticated handling of sensitive information, such as automatic key rotation and fine-grained access control.
4. Avoid Hardcoding Sensitive Data: Never hardcode sensitive information like passwords or API keys in container images or source code. Use Secrets to decouple sensitive data from your application logic.

Kubernetes makes configuration management more flexible and secure through ConfigMaps and Secrets. ConfigMaps allow you to manage non-sensitive configuration data separately from your application logic, while Secrets ensure that sensitive information is securely handled. By leveraging these objects, you can simplify your application deployments, improve security, and better manage application configurations across multiple environments.

As you adopt Kubernetes for managing applications at scale, mastering the use of ConfigMaps and Secrets will be essential for keeping your configurations clean, reusable, and secure.