Kubernetes ConfigMaps and Secrets management

Ryan Nakamura Feb 2026
2 tabs
# ConfigMap from literal values
apiVersion: v1
kind: ConfigMap
metadata:
  name: web-app-config
  namespace: production
data:
  APP_NAME: "MyApp"
  LOG_LEVEL: "info"
  REDIS_URL: "redis://redis:6379"
  MAX_WORKERS: "4"
  config.yaml: |
    server:
      port: 3000
      host: 0.0.0.0
    cache:
      ttl: 3600
      max_size: 1000
    features:
      dark_mode: true
      beta_features: false

---
# Secret with stringData (auto base64-encoded)
apiVersion: v1
kind: Secret
metadata:
  name: web-app-secrets
  namespace: production
type: Opaque
stringData:
  database-url: "postgres://user:password@db:5432/myapp"
  jwt-secret: "super-secret-jwt-key-here"
  api-key: "sk-1234567890abcdef"

---
# TLS Secret
apiVersion: v1
kind: Secret
metadata:
  name: app-tls-secret
  namespace: production
type: kubernetes.io/tls
data:
  tls.crt: <base64-encoded-cert>
  tls.key: <base64-encoded-key>

---
# Docker registry secret
apiVersion: v1
kind: Secret
metadata:
  name: registry-credentials
  namespace: production
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: <base64-encoded-docker-config>

---
# Pod using ConfigMap and Secret
apiVersion: v1
kind: Pod
metadata:
  name: web-app-pod
spec:
  containers:
    - name: app
      image: web-app:1.0.0
      # Individual env vars
      env:
        - name: DATABASE_URL
          valueFrom:
            secretKeyRef:
              name: web-app-secrets
              key: database-url
        - name: LOG_LEVEL
          valueFrom:
            configMapKeyRef:
              name: web-app-config
              key: LOG_LEVEL
      # All keys as env vars
      envFrom:
        - configMapRef:
            name: web-app-config
        - secretRef:
            name: web-app-secrets
      # Mount as files
      volumeMounts:
        - name: config-files
          mountPath: /app/config
          readOnly: true
        - name: secret-files
          mountPath: /app/secrets
          readOnly: true
  volumes:
    - name: config-files
      configMap:
        name: web-app-config
        items:
          - key: config.yaml
            path: config.yaml
    - name: secret-files
      secret:
        secretName: web-app-secrets
        defaultMode: 0400
2 files · yaml, bash Explain with highlit

ConfigMaps store non-sensitive configuration as key-value pairs. Secrets store sensitive data like passwords, tokens, and certificates in base64 encoding. Both can be consumed as environment variables or mounted as files. ConfigMaps created with kubectl create configmap from literals or files. Secrets use stringData for plain-text input or data for base64-encoded values. Volume mounts project ConfigMap/Secret data as files in the container filesystem. The envFrom directive loads all keys as environment variables. Secret types include Opaque, kubernetes.io/tls, and kubernetes.io/dockerconfigjson. External tools like sealed-secrets or external-secrets encrypt Secrets for Git storage. Never commit plain Secrets to version control.