Environments (ConfigMap) and Secrets

There are 3 ways to set environment variables and secrets in Kubernetes:

Key-value pair format — directly in the Pod spec
ConfigMap — stored as a Kubernetes API object
Secrets — for confidential data, base64-encoded

Key-Value Pair Format

pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: my-ubuntu
spec:
  containers:
    - name: my-ubuntu
      image: ubuntu
      env:
        - name: URL
          value: https://karchunt.com
        - name: APP_NAME
          value: karchunt-ubuntu

ConfigMap

ConfigMap stores configuration data as a Kubernetes API object, similar in concept to key-value pairs but more reusable across pods.

kubectl get configmap

Creating a ConfigMap

Imperative
Declarative

# From key-value pairs
kubectl create configmap <config-name> --from-literal=<key>=<value>
kubectl create configmap api-config --from-literal=port=8080

# From a file
kubectl create configmap <config-name> --from-file=<path-to-file>
kubectl create configmap api-config --from-file=.env

When creating from a file, each line must follow the format <name>=<value>:

.env

port=8080
env=prod

api-config.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: api-config
data:
  port: 8080
  env: prod

Using ConfigMap in a Pod

Entire ConfigMap
Single Value
As Volume

Inject all ConfigMap values as environment variables. The configMapRef.name must match the ConfigMap’s metadata.name.

api-party.yaml

apiVersion: v1
kind: Pod
metadata:
  name: api-party
spec:
  containers:
    - name: api-party
      image: api-party:0.1.0
      ports:
        - containerPort: 8080
      envFrom:
        - configMapRef:
            name: api-config

Inject only one specific value from a ConfigMap:

api-party.yaml

apiVersion: v1
kind: Pod
metadata:
  name: api-party
spec:
  containers:
    - name: api-party
      image: api-party:0.1.0
      ports:
        - containerPort: 8080
      env:
        - name: port
          valueFrom:
            configMapKeyRef:
              name: api-config  # ConfigMap name
              key: port         # Key under data section

A container using a ConfigMap as a subPath volume will not receive ConfigMap updates.

Mount a ConfigMap as files on the filesystem:

special-cm.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: model-config
data:
  config.py: |
    config = {
      'url': 'http://localhost:8080'
    }
  special_file.txt: specialData

api-party.yaml

apiVersion: v1
kind: Pod
metadata:
  name: api-party
spec:
  containers:
    - name: api-party
      image: api-party:0.1.0
      volumeMounts:
        - name: config-volume
          mountPath: /app/src
  volumes:
    - name: config-volume
      configMap:
        name: model-config

This creates /app/src/config.py and /app/src/special_file.txt in the container.

Secrets

Secrets are only encoded (base64) and not encrypted in etcd. Enable encryption at rest in kube-apiserver.
Consider external secrets providers like HashiCorp Vault or AWS Secrets Manager.
Don’t check in Secret objects with data to SCM like GitHub.
Remember to set up RBAC (least-privileged access) since anyone in the same namespace can access Secret objects.

Secrets store confidential information like passwords, keys, or tokens. How Kubernetes manages secrets:

A secret is only sent to a node if a pod requires it.
The kubelet stores a copy of the secret in tmpfs (RAM disk) — not written to disk storage.
The kubelet deletes its local copy when the pod that depends on the secret is deleted.

kubectl get secrets

Built-in Secret Types

Type	Usage
`Opaque`	Arbitrary user-defined data
`kubernetes.io/service-account-token`	ServiceAccount token
`kubernetes.io/dockerconfigjson`	Serialized `~/.docker/config.json` file
`kubernetes.io/basic-auth`	Credentials for basic authentication
`kubernetes.io/ssh-auth`	Credentials for SSH authentication
`kubernetes.io/tls`	Data for a TLS client or server
`bootstrap.kubernetes.io/token`	Bootstrap token data

Creating Secrets

Imperative
Declarative (Opaque)
TLS
Basic Auth
SSH Auth

When using imperative commands, you don’t need to encode your data — the command handles it.

# Create generic (Opaque) secret from key-value pairs
kubectl create secret generic <secret-name> --from-literal=<key>=<value>
kubectl create secret generic api-secret --from-literal=token=yourtoken

# From a file
kubectl create secret generic <secret-name> --from-file=<path-to-file>
kubectl create secret generic api-secret --from-file=.env

# Container registry secret
kubectl create secret docker-registry secret-harbor \\
  [email protected] \\
  --docker-username=karchun \\
  --docker-password=mypassword \\
  --docker-server=harbor.registry.com

# Retrieve and decode registry secret
kubectl get secret secret-harbor -o jsonpath='{.data.*}' | base64 -d

# TLS secret
kubectl create secret tls <secret-name> --cert=<path-to-cert> --key=<path-to-key>
kubectl create secret tls tls-domain --cert="path.crt" --key="key.key"

Secrets must be stored in base64 format:

# Encode
echo -n 'password' | base64

# Decode
echo -n 'bXlzcWw=' | base64 --decode

api-secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: api-secret
data:
  token: bXlzcWw=

Mandatory fields: tls.crt and tls.key

tls.yaml

apiVersion: v1
kind: Secret
metadata:
  name: secret-tls
type: kubernetes.io/tls
data:
  tls.crt: |
    abcoAI812hcnaik
    UUVCQlFVQU1Jada
    bkkxWHgKRHanca1
  tls.key: |
    abcoAI812hcnaikabcoAI812hcnaikabcoAI812hcnaik

Mandatory fields: username and password

basic-authentication.yaml

apiVersion: v1
kind: Secret
metadata:
  name: secret-basic-auth
type: kubernetes.io/basic-auth
data:
  username: bXlzcWw=
  password: bXlzcWw=

Mandatory field: ssh-privatekey

ssh-authentication.yaml

apiVersion: v1
kind: Secret
metadata:
  name: secret-ssh-auth
type: kubernetes.io/ssh-auth
data:
  ssh-privatekey: |
    abcoAI812hcnaik

Using Secrets in a Pod

Entire Secret
Single Value
As Volume

api-party.yaml

apiVersion: v1
kind: Pod
metadata:
  name: api-party
spec:
  containers:
    - name: api-party
      image: api-party:0.1.0
      envFrom:
        - secretRef:
            name: api-secret  # Secret metadata name

api-party.yaml

apiVersion: v1
kind: Pod
metadata:
  name: api-party
spec:
  containers:
    - name: api-party
      image: api-party:0.1.0
      env:
        - name: token
          valueFrom:
            secretKeyRef:
              name: api-secret  # Secret metadata name
              key: token        # Key under data section

A container using a Secret as a subPath volume will not receive Secret updates.

api-party.yaml

apiVersion: v1
kind: Pod
metadata:
  name: api-party
spec:
  containers:
    - name: api-party
      image: api-party:0.1.0
      volumeMounts:
        - name: secret-volume
          mountPath: /app/src
          readOnly: true
  volumes:
    - name: secret-volume
      secret:
        secretName: sample-secret

This creates /app/src/.secret-file in the container.

Overview

Docker

Git

Kubernetes

Kubernetes Scheduling

Kubernetes Observability

Kubernetes Cluster Maintenance

Kubernetes Security

Linux

SSH

Ansible

Taskfile

Python OOP

Data Structures & Algorithms

12-Factor App

Environments (ConfigMap) and Secrets

Key-Value Pair Format

ConfigMap

Creating a ConfigMap

Using ConfigMap in a Pod

Secrets

Built-in Secret Types

Creating Secrets

Using Secrets in a Pod

Build docs developers (and LLMs) love

Overview

Docker

Git

Kubernetes

Kubernetes Scheduling

Kubernetes Observability

Kubernetes Cluster Maintenance

Kubernetes Security

Linux

SSH

Ansible

Taskfile

Python OOP

Data Structures & Algorithms

12-Factor App

​Key-Value Pair Format

​ConfigMap

​Creating a ConfigMap

​Using ConfigMap in a Pod

​Secrets

​Built-in Secret Types

​Creating Secrets

​Using Secrets in a Pod

Build docs developers (and LLMs) love

Key-Value Pair Format

ConfigMap

Creating a ConfigMap

Using ConfigMap in a Pod

Secrets

Built-in Secret Types

Creating Secrets

Using Secrets in a Pod