Managing Configuration in Kubernetes: ConfigMaps & Secrets

When we deploy applications on Kubernetes, one big question comes up:

Where should configuration live?

Things like:

• usernames

• ports

• environment values

• database passwords

We should not hardcode these inside our application or Docker image. Kubernetes solves this problem using ConfigMaps and Secrets.

Today I learned :

• What ConfigMaps and Secrets are

• Why we need them

• How I used them hands-on with a Node.js app

• The difference between passing config as ENV vs Volume

Why separating code and configuration matters

If configuration is hardcoded:

• Any small change requires rebuilding the image

• Same image cannot be reused across environments

• Secrets can leak into GitHub

Kubernetes allows us to inject configuration at runtime, without changing the image.

What is a ConfigMap?

A ConfigMap stores non-sensitive configuration data as key-value pairs.

Examples:

• username

• app mode (dev / prod)

• feature flags

• URLs

Example ConfigMap I created:

This data is not secret, so ConfigMap is the right choice.

Ways to use a ConfigMap in a Pod

There are two ways:

• As environment variables

• As files using volumes

Method 1: ConfigMap as Environment Variable

Inside the container:

Limitation

Environment variables are static.
If ConfigMap changes → Pod must restart.

Method 2: ConfigMap as a Volime - Better approach

After changing the username from configMap --> the username present in pod volume also changed

How my Node.js app reads the ConfigMap

This is a production-grade pattern.

The problem with ConfigMaps for passwords

ConfigMaps are stored:

• In plain text

• Visible to anyone with access

• Not safe for passwords or API keys

That’s where Secrets come in.

What is a Kubernetes Secret?

A Secret is used for sensitive data like:

• passwords

• tokens

• API keys

Secrets:

• Are base64 encoded

• Have stricter access control

• Can also be injected as env or volume

Creating a Secret (the mistake I made)

Kubernetes rejected it.

Why?

data: expects base64, not plain text.

Kubernetes automatically converts it to base64.

Mounting Secret as a Volume (Recommended - Approach)

Reading Secret in Node.js

No env leaks. No hardcoding. Secure.

Key takeaways from this hands-on

• ConfigMaps are for normal config

• Secrets are for private data

• Volume mounts are better than env

• Kubernetes updates mounted files automatically

• Application must read config from files