Blog
Thoughts on engineering, design, and building great products.
ConfigMap and Secret
Don't bake configuration into the image — pull it into a ConfigMap for ordinary data, a Secret for sensitive data, then inject it via environment variables or files. This article opens Part VI with both: four ways to consume them, one key difference (files auto-update on edit, env doesn't), and the harsh truth that a Secret is only base64, not encrypted — unless you turn it on, which our cluster did in Article 5. Tested for real, dug into etcd.
ConfigMap and Secret: Separating Configuration from the Image
The same image must run in dev, staging, production — meaning configuration cannot be baked into the image. ConfigMap holds ordinary configuration, Secret holds sensitive data. This article: creating and injecting them into a pod via environment variables and files, with an important warning about 'a Secret is just base64'.