Browse Courses

Config Map and Secrets

July 18, 2025 4 min read Configuration DevOps Containers Docs IBM-DevOps Configmap Environment-Variables

Explains Kubernetes ConfigMaps and Secrets, their characteristics, creation methods, and usage for managing configuration and sensitive data in deployments.

On this page

This document explains how Kubernetes ConfigMaps and Secrets enable separation of configuration and sensitive data from application code. It covers their characteristics, creation methods, and best practices for securely managing environment variables and application settings in containerized deployments.

Introduction to ConfigMaps and Secrets

Kubernetes ConfigMaps and Secrets are API objects designed to decouple configuration and sensitive data from application code. ConfigMaps store non-confidential key-value pairs, while Secrets are intended for sensitive information and provide encoding for security.

Key Characteristics of ConfigMaps

A ConfigMap stores non-sensitive configuration data as key-value pairs. It is reusable across multiple deployments, helping to avoid hard-coding configuration variables in application code. ConfigMaps are not encrypted and should not be used for confidential data. The maximum size for a ConfigMap is 1MB; for larger data, use volumes or external storage.

  • ConfigMaps provide configuration data to pods and deployments.
  • They have optional data and binaryData fields, but no spec field.
  • The ConfigMap name must be a valid DNS subdomain name.

Creating ConfigMaps

There are three main ways to create a ConfigMap:

1. Using String Literals

You can create a ConfigMap directly from the command line by specifying key-value pairs:

1kubectl create configmap myconfig --from-literal=message="hello from the config file"

2. Using a Properties File

A properties file contains environment variables in key=value format. This is useful for managing multiple variables:

1message=hello from the my.properties file

Create the ConfigMap from the file:

1kubectl create configmap myconfig --from-file=my.properties

3. Using a YAML Descriptor File

You can define a ConfigMap in a YAML file and apply it:

1apiVersion: v1
2kind: ConfigMap
3metadata:
4  name: myconfig
5data:
6  message: hello from the config file

Apply the file:

1kubectl apply -f my-config.yaml

Consuming ConfigMaps in Deployments

ConfigMaps can be consumed by pods or deployments in two main ways:

  • As environment variables using the envFrom or valueFrom attribute in the deployment descriptor.
  • By mounting as files using the volumes plugin.

Example: Using an environment variable in a deployment descriptor:

1env:
2  - name: message
3    valueFrom:
4      configMapKeyRef:
5        name: myconfig
6        key: message

In application code (e.g., Node.js):

1console.log(process.env.message)

Advanced ConfigMap Usage

  • You can load an entire directory into a ConfigMap using the --from-file flag with a directory path.
  • To load a specific file with a custom key: --from-file=customKey=filename.
  • Use kubectl describe configmap myconfig to view details.

Introduction to Secrets

Kubernetes Secrets are used to store sensitive data, such as credentials or API keys. Secrets are encoded (not encrypted) and should be used for confidential information.

Creating and Using Secrets

1. Using String Literals

1kubectl create secret generic api-creds --from-literal=API_CREDS=myapikey

2. Using Environment Variables in Deployment

Add the secret as an environment variable in the deployment descriptor:

1env:
2  - name: API_CREDS
3    valueFrom:
4      secretKeyRef:
5        name: api-creds
6        key: API_CREDS

In application code:

1console.log(process.env.API_CREDS)

3. Using Volume Mounts

Secrets can be mounted as files in a container:

1volumes:
2  - name: api-creds
3    secret:
4      secretName: api-creds
5containers:
6  - name: app
7    volumeMounts:
8      - name: api-creds
9        mountPath: /etc/API

Conclusion

Kubernetes ConfigMaps and Secrets provide flexible and secure ways to manage configuration and sensitive data for containerized applications. By separating configuration from code, they enable easier updates and improved security practices.

FAQ

A ConfigMap is an API object that stores non-confidential data as key-value pairs, allowing configuration to be separated from application code and reused across deployments.

  1. To store application logs
  2. To store sensitive data such as credentials or API keys in an encoded format
  3. To manage network policies
  4. To define pod resource limits
(2) Secrets are designed to store sensitive information, such as credentials or API keys, in an encoded format for use by applications.

A ConfigMap can be consumed by a deployment as environment variables using the valueFrom attribute or by mounting it as files using the volumes plugin.

The maximum size for a ConfigMap is 1 megabyte. For larger data, use volumes or external storage.

  1. Using string literals
  2. Using a properties file
  3. Using a YAML descriptor file
  4. Using a Dockerfile
(4) ConfigMaps cannot be created using a Dockerfile.

The secret is made available as files in the specified directory, allowing the application to read sensitive data securely from the file system.

MethodDescription
A. String1. Create directly from key-value pairs
B. Properties2. Use a file with key=value lines
C. YAML3. Define the ConfigMap in a YAML file
A-1, B-2, C-3.

ConfigMaps are for non-sensitive configuration data, while Secrets are for sensitive information that requires encoding.

ConfigMaps and Secrets help decouple configuration and sensitive data from application code in Kubernetes.

True. This separation allows for easier updates and improved security practices.
Rolling Updates
Service Binding