DEV Community

Cover image for Kubernetes ConfigMap and Secret explained
TechWorld with Nana
TechWorld with Nana

Posted on • Edited on

Kubernetes ConfigMap and Secret explained

ConfigMap

What is ConfigMap and when is it used? 🤔
Think of it as a properties file for your application. For example depending on your application environment (dev, int, prod) you will have a different database url or logging level. So for these kind of things you can use configMap.

The biggest advantage is that, with properties file, every time you modify it you have to rebuild and redeploy your application, whereas if you change configuration in configMap, you just need to restart the application pod/container.

ConfigMap can be used by the application as a set of environmental variable values or as an actual configuration file.

Example ConfigMap with database connection configuration:

apiVersion: v1
kind: ConfigMap
metadata:
    name: my-config
data:
  db-host: cluster-mysql.database 
  db-port: 3306
  db-name: my-db 
Enter fullscreen mode Exit fullscreen mode

The values in this configMap can be used in a following way in your app's pod specification:

apiVersion: v1
kind: Pod
metadata:
  name: my-app
spec:
  containers:
  - name: my-app
    image: my-app-image
    env:
    - name: DB_HOST
      valueFrom:
        configMapKeyRef:
          name: my-config
          key: db-host
    - name: DB_PORT
      valueFrom:
        configMapKeyRef:
          name: my-config
          key: db-port
    - name me: DB_NAME
      valueFrom:
        configMapKeyRef:
          name: my-config
          key: db-name
Enter fullscreen mode Exit fullscreen mode

Here is an example ConfigMap which creates a configuration file for Mosquitto app:

apiVersion: v1
kind: ConfigMap
metadata:
    name: mosquitto-config
data:
  mosquitto.conf |
     log_dest stout
     log_type all
     log_timestamp true
     listener 9001
Enter fullscreen mode Exit fullscreen mode

In this case we need to mount the ConfigMap as a volume in Kubernetes:

apiVersion: v1
kind: Pod
metadata:
  name: mosquitto
spec:
  containers:
  - name: mosquitto
    image: mosquitto-image
    volumeMounts:
      - name: config-file
        mountPath: /mosquitto/config
  volumes:
  - name: config-file
    configMap:
      name: mosquitto-config
Enter fullscreen mode Exit fullscreen mode

This config map will produce a file mosquitto.conf, which then can be mounted into the Mosquitto container under /mosquitto/config directory.

Secret

Secrets 🔐 are also used in these 2 ways. Either as a value for env variables or as a secret file with credentials or a certificate etc mounted into a pod.

So for a better comparison, think of secrets as encrypted configMaps.

Example secret with key-value pairs:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
  type: Opaque
data:
  db-user: dXNlcg==
  db-password: cGFzc3dvcmQ
Enter fullscreen mode Exit fullscreen mode

And you can use it the same way as ConfigMap in your application's configuration file:

apiVersion: v1
kind: Pod
metadata:
  name: my-app
spec:
  containers:
  - name: my-app
    image: my-app-image
    env:
    - name: DB_USER
      valueFrom:
        secretKeyRef:
          name: my-secret
          key: db-user
    - name: DB_PASSWORD
      valueFrom:
        secretKeyRef:
          name: my-secret
          key: db-password
Enter fullscreen mode Exit fullscreen mode

Here is an example secret that creates a file:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
  type: Opaque
data:
  cacert.pem |
     base-64-encoded value of a PEM certificate
Enter fullscreen mode Exit fullscreen mode

And again, just like with ConfigMap, you will need to mount this secret as a volume into the pod to use the cacert.pem file:

apiVersion: v1
kind: Pod
metadata:
  name: my-app
spec:
  containers:
  - name: my-app
    image: my-app-image
    volumeMounts:
      - name: certificate-file
        mountPath: /etc/secret
  volumes:
  - name: certificate-file
    configMap:
      name: my-secret
Enter fullscreen mode Exit fullscreen mode

The inconvenience with this way of creating a secret for a file is that you will have to base64 encode the file contents and then paste it into the data section.

So an easier alternative way to create secrets from a file is with kubectl command.

Like in the above case, get the cacert.pem file and execute:

kubectl create secret generic my-secret --from-file=./cacert.pem
Enter fullscreen mode Exit fullscreen mode

Thanks for reading 👩🏻‍💻 and click on ❤️ or 🦄 if you learned something. 🤓


You can follow me on Twitter and YouTube.

More about Kubernetes Components:

Top comments (0)