Aisalkyn Aidarova

Posted on Jan 9

production-grade guide to Configuration & Secrets in Kubernetes

#architecture #devops #kubernetes #security

Mental model first (very important)

Kubernetes does NOT magically manage configuration.
It only injects data into containers.
What the app does with it is your responsibility.

1️⃣ What DevOps must understand FIRST

Configuration problems cause:

Apps starting but behaving wrong
Random crashes after deploys
Downtime during config changes
Security leaks (very common)

Core rule

Kubernetes delivers config. Applications consume it. Kubernetes does NOT reload it automatically.

2️⃣ ConfigMap vs Secret (zero confusion rule)

Feature	ConfigMap	Secret
Sensitive	❌ No	✅ Yes
Base64	❌ No	✅ Yes
Git safe	✅ Yes	❌ No
Encryption at rest	❌ No	⚠️ Optional
Examples	URLs, flags	passwords, tokens

DevOps rule

ConfigMap = behavior
Secret = credentials

Never mix them.

3️⃣ How configuration is injected (3 ways)

Method 1 — Environment variables (MOST COMMON)

ConfigMap

kubectl create configmap app-config \
  --from-literal=APP_MODE=prod \
  --from-literal=LOG_LEVEL=info

Secret

kubectl create secret generic app-secrets \
  --from-literal=DB_USER=admin \
  --from-literal=DB_PASS=supersecret

Inject into Pod

env:
- name: APP_MODE
  valueFrom:
    configMapKeyRef:
      name: app-config
      key: APP_MODE
- name: DB_PASS
  valueFrom:
    secretKeyRef:
      name: app-secrets
      key: DB_PASS

DevOps attention points

App restart REQUIRED to apply changes
Env vars are visible via kubectl describe pod
Never log env vars

Method 2 — EnvFrom (bulk injection)

envFrom:
- configMapRef:
    name: app-config
- secretRef:
    name: app-secrets

When DevOps uses this

Microservices
Standardized configs
Fast onboarding

Danger

Variable name collisions
Harder debugging

Method 3 — Mounted files (MOST PROFESSIONAL)

Why DevOps prefers this

Supports live reload (if app supports it)
Cleaner separation
Works for certificates, configs, JSON, YAML

ConfigMap as file

volumes:
- name: config
  configMap:
    name: app-config

volumeMounts:
- name: config
  mountPath: /etc/config

Result inside container

/etc/config/APP_MODE
/etc/config/LOG_LEVEL

Secret as file

volumes:
- name: secrets
  secret:
    secretName: app-secrets

DevOps reality

Kubernetes updates files automatically
App must watch files or reload
Most apps DO NOT reload by default

4️⃣ The biggest DevOps mistake (very common)

❌ “I updated ConfigMap but app didn’t change”

Why?

Pods don’t restart
Env vars are immutable
App doesn’t reload mounted files

Correct solutions (DevOps options)

Option 1 — Rolling restart

kubectl rollout restart deployment app

Option 2 — Hash-based rollout (BEST PRACTICE)

metadata:
  annotations:
    config-hash: "{{ .Values.configHash }}"

(Change annotation → rollout triggered)

5️⃣ Secrets: what DevOps MUST secure

Critical truths

Secrets are base64, NOT encrypted
Anyone with RBAC access can read them
GitHub leaks happen weekly

Minimum DevOps requirements

Enable encryption at rest (cloud KMS)
Restrict RBAC
Use namespace isolation
Rotate secrets

6️⃣ What NOT to do (interview traps)

❌ Put secrets in YAML
❌ Commit secrets to Git
❌ Share secrets across namespaces
❌ Use same secret in dev & prod
❌ Restart cluster for config changes

7️⃣ Production patterns DevOps uses

Pattern 1 — External Secret Managers

AWS Secrets Manager
HashiCorp Vault
Azure Key Vault

Flow:

Vault → ExternalSecrets → Kubernetes Secret → Pod

Why DevOps prefers this

Rotation
Audit logs
Central control

Pattern 2 — Immutable config

New config = new deployment
No live mutation
Git controls everything

This prevents:

Drift
Mystery changes
“Works on my cluster”

8️⃣ Troubleshooting checklist (real-life)

App not behaving as expected

kubectl describe pod
kubectl exec pod -- env
kubectl exec pod -- cat /etc/config/*

Secret missing

kubectl get secret
kubectl describe secret

Config updated but app unchanged

Check restart
Check reload capability
Check correct mount path

9️⃣ How to explain this in interviews (perfect answer)

“ConfigMaps control application behavior, Secrets control credentials. Kubernetes injects them but doesn’t manage reload. DevOps must handle rollout, security, and lifecycle correctly.”

10️⃣ What senior DevOps MUST know (non-negotiable)

You must know:

All injection methods
Reload limitations
Security risks
Rollout strategies
External secret managers
RBAC implications

Final DevOps truth (important)

Most production incidents are configuration issues, not code issues.
Kubernetes only exposes them faster.

Mental model first (very important)

1️⃣ What DevOps must understand FIRST

Configuration problems cause:

Core rule

2️⃣ ConfigMap vs Secret (zero confusion rule)

DevOps rule

3️⃣ How configuration is injected (3 ways)

Method 1 — Environment variables (MOST COMMON)

ConfigMap

Secret

Inject into Pod

DevOps attention points

Method 2 — EnvFrom (bulk injection)

When DevOps uses this

Danger

Method 3 — Mounted files (MOST PROFESSIONAL)

Why DevOps prefers this

ConfigMap as file

Result inside container

Secret as file

DevOps reality

4️⃣ The biggest DevOps mistake (very common)

Why?

Correct solutions (DevOps options)

Option 1 — Rolling restart

Option 2 — Hash-based rollout (BEST PRACTICE)

5️⃣ Secrets: what DevOps MUST secure

Critical truths

Minimum DevOps requirements

6️⃣ What NOT to do (interview traps)

7️⃣ Production patterns DevOps uses

Pattern 1 — External Secret Managers

Why DevOps prefers this

Pattern 2 — Immutable config

8️⃣ Troubleshooting checklist (real-life)

App not behaving as expected

Secret missing

Config updated but app unchanged

9️⃣ How to explain this in interviews (perfect answer)

10️⃣ What senior DevOps MUST know (non-negotiable)

Final DevOps truth (important)

Recommended next topics (logical order)