# ConfigMap from literal values
apiVersion: v1
kind: ConfigMap
metadata:
name: web-app-config
namespace: production
data:
APP_NAME: "MyApp"
LOG_LEVEL: "info"
REDIS_URL: "redis://redis:6379"
MAX_WORKERS: "4"
config.yaml: |
server:
port: 3000
host: 0.0.0.0
cache:
ttl: 3600
max_size: 1000
features:
dark_mode: true
beta_features: false
---
# Secret with stringData (auto base64-encoded)
apiVersion: v1
kind: Secret
metadata:
name: web-app-secrets
namespace: production
type: Opaque
stringData:
database-url: "postgres://user:password@db:5432/myapp"
jwt-secret: "super-secret-jwt-key-here"
api-key: "sk-1234567890abcdef"
---
# TLS Secret
apiVersion: v1
kind: Secret
metadata:
name: app-tls-secret
namespace: production
type: kubernetes.io/tls
data:
tls.crt: <base64-encoded-cert>
tls.key: <base64-encoded-key>
---
# Docker registry secret
apiVersion: v1
kind: Secret
metadata:
name: registry-credentials
namespace: production
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: <base64-encoded-docker-config>
---
# Pod using ConfigMap and Secret
apiVersion: v1
kind: Pod
metadata:
name: web-app-pod
spec:
containers:
- name: app
image: web-app:1.0.0
# Individual env vars
env:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: web-app-secrets
key: database-url
- name: LOG_LEVEL
valueFrom:
configMapKeyRef:
name: web-app-config
key: LOG_LEVEL
# All keys as env vars
envFrom:
- configMapRef:
name: web-app-config
- secretRef:
name: web-app-secrets
# Mount as files
volumeMounts:
- name: config-files
mountPath: /app/config
readOnly: true
- name: secret-files
mountPath: /app/secrets
readOnly: true
volumes:
- name: config-files
configMap:
name: web-app-config
items:
- key: config.yaml
path: config.yaml
- name: secret-files
secret:
secretName: web-app-secrets
defaultMode: 0400
#!/bin/bash
# ConfigMap and Secret commands
# Create ConfigMap from literals
kubectl create configmap app-config --from-literal=APP_ENV=production --from-literal=LOG_LEVEL=info
# Create ConfigMap from file
kubectl create configmap app-config --from-file=config.yaml --from-file=nginx.conf
# Create ConfigMap from env file
kubectl create configmap app-config --from-env-file=.env
# Create Secret from literals
kubectl create secret generic app-secrets --from-literal=db-password=supersecret --from-literal=api-key=abc123
# Create TLS Secret
kubectl create secret tls app-tls --cert=tls.crt --key=tls.key
# Create Docker registry secret
kubectl create secret docker-registry registry-cred --docker-server=registry.example.com --docker-username=user --docker-password=pass
# View ConfigMap
kubectl get configmap app-config -o yaml
# Decode Secret
kubectl get secret app-secrets -o jsonpath='{.data.db-password}' | base64 -d
# Edit in-place
kubectl edit configmap app-config
# Rollout restart after config change
kubectl rollout restart deployment/web-app
ConfigMaps store non-sensitive configuration as key-value pairs. Secrets store sensitive data like passwords, tokens, and certificates in base64 encoding. Both can be consumed as environment variables or mounted as files. ConfigMaps created with kubectl create configmap from literals or files. Secrets use stringData for plain-text input or data for base64-encoded values. Volume mounts project ConfigMap/Secret data as files in the container filesystem. The envFrom directive loads all keys as environment variables. Secret types include Opaque, kubernetes.io/tls, and kubernetes.io/dockerconfigjson. External tools like sealed-secrets or external-secrets encrypt Secrets for Git storage. Never commit plain Secrets to version control.
