DEV Community

Aisalkyn Aidarova
Aisalkyn Aidarova

Posted on

What problem do Config & Secret solve?

#architecture #devops #kubernetes

They solve configuration separation.

Golden rule (very important):

Application code should NOT change when configuration changes.

Kubernetes gives us ConfigMaps and Secrets to externalize configuration.

ConfigMap — “Non-Sensitive Configuration”

Image

Image

Image

What is a ConfigMap?

A ConfigMap stores non-secret configuration data, such as:

  • Environment variables
  • App settings
  • Feature flags
  • URLs
  • Port numbers
  • Log levels

Examples of ConfigMap data 

APP_ENV=prod
LOG_LEVEL=debug
DB_HOST=mysql-service
DB_PORT=3306
Enter fullscreen mode Exit fullscreen mode

Why DevOps uses ConfigMaps

  • Change config without rebuilding images
  • Same image → different environments (dev / stage / prod)
  • Safe to store in Git

How ConfigMaps are used

  1. As environment variables
  2. As mounted files

Secret — “Sensitive Configuration”

Image

Image

Image

What is a Secret?

A Secret stores sensitive data, such as:

  • Passwords
  • API keys
  • Tokens
  • Certificates
  • Private keys

Examples of Secret data 

DB_PASSWORD
AWS_SECRET_ACCESS_KEY
JWT_SECRET
TLS_CERT
Enter fullscreen mode Exit fullscreen mode

Important truth (many beginners miss this)

Kubernetes Secrets are Base64 encoded, NOT encrypted by default.

Encoding ≠ encryption.

Why DevOps uses Secrets

  • Avoid hard-coding credentials
  • Control access via RBAC
  • Rotate secrets without code changes

ConfigMap vs Secret (Side-by-Side)

Feature ConfigMap Secret
Purpose Non-sensitive config Sensitive data
Stored as Plain text Base64 encoded
Safe for Git Yes No (usually)
RBAC protected Basic Strongly required
Examples URLs, flags Passwords, tokens

How Pods consume Config & Secret

Image

Image

Image

1️⃣ As Environment Variables 

envFrom:
  - configMapRef:
      name: app-config
  - secretRef:
      name: app-secret
Enter fullscreen mode Exit fullscreen mode

2️⃣ As Files (Volumes) 

volumes:
  - name: secret-vol
    secret:
      secretName: app-secret
Enter fullscreen mode Exit fullscreen mode

This is commonly used for:

  • TLS certs
  • SSH keys
  • JSON credentials

DevOps Real-World Use Cases

Production patterns

  • ConfigMap

    • Feature toggles
    • App behavior tuning
    • Logging configuration

  • Secret

    • Database credentials
    • Cloud provider keys
    • OAuth tokens

What breaks if misused

  • Secrets in ConfigMap → security incident
  • Hardcoded secrets → credential leak
  • One config for all envs → deployment failure

What DevOps Engineers MUST know

✔ Never store secrets in Git
✔ Rotate secrets without redeploying code
✔ Restrict access using RBAC
✔ Prefer external secret managers in production:

  • AWS Secrets Manager
  • HashiCorp Vault
  • External Secrets Operator

One-line mental model (remember this)

ConfigMap = how the app behaves
Secret = how the app authenticates

Top comments (0)