Docs / Kubernetes & Orchestration / How to Use Kubernetes ConfigMaps and Secrets

How to Use Kubernetes ConfigMaps and Secrets

By Admin · Mar 2, 2026 · Updated Apr 24, 2026 · 29 views · 2 min read

How to Use Kubernetes ConfigMaps and Secrets

ConfigMaps and Secrets decouple configuration from container images, making your applications portable and easier to manage across environments. ConfigMaps hold non-sensitive data like feature flags and connection strings, while Secrets store sensitive values like passwords and API keys. This guide covers both resources on your Breeze Kubernetes cluster.

Creating a ConfigMap

You can create ConfigMaps from literal values, files, or YAML manifests:

# From literals
kubectl create configmap app-config \
  --from-literal=APP_ENV=production \
  --from-literal=LOG_LEVEL=info \
  --from-literal=MAX_CONNECTIONS=100

# From a file
kubectl create configmap nginx-conf --from-file=nginx.conf=/etc/nginx/nginx.conf

ConfigMap YAML Manifest

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
  namespace: default
data:
  APP_ENV: production
  LOG_LEVEL: info
  DATABASE_HOST: postgres-headless.default.svc.cluster.local
  config.yaml: |
    server:
      port: 8080
      workers: 4
    cache:
      ttl: 300
      max_size: 512mb

Creating Secrets

Secrets are base64-encoded by default. Create them from literals or use a manifest:

kubectl create secret generic db-credentials \
  --from-literal=username=appuser \
  --from-literal=password='S3cur3P@ssw0rd!'

Secret YAML Manifest

apiVersion: v1
kind: Secret
metadata:
  name: db-credentials
type: Opaque
stringData:
  username: appuser
  password: S3cur3P@ssw0rd!

Using stringData lets you provide plain text values — Kubernetes encodes them automatically.

Consuming as Environment Variables

spec:
  containers:
  - name: app
    image: myapp:latest
    envFrom:
    - configMapRef:
        name: app-config
    env:
    - name: DB_USER
      valueFrom:
        secretKeyRef:
          name: db-credentials
          key: username
    - name: DB_PASS
      valueFrom:
        secretKeyRef:
          name: db-credentials
          key: password

Mounting as Volume Files

Mount a ConfigMap as files inside the container:

spec:
  containers:
  - name: app
    volumeMounts:
    - name: config-volume
      mountPath: /etc/app
      readOnly: true
  volumes:
  - name: config-volume
    configMap:
      name: app-config

Each key becomes a file in /etc/app/ with the value as its content.

Best Practices for Breeze Clusters

  • Never store secrets in ConfigMaps — always use Secret objects
  • Enable encryption at rest for Secrets in your cluster configuration
  • Use immutable: true on ConfigMaps and Secrets that should not change, improving performance
  • Consider external secret managers (Vault, Sealed Secrets) for production Breeze deployments
  • Rotate secrets regularly and use short-lived tokens where possible

Was this article helpful?

Related Articles