ConfigMaps and Secrets for Application Configuration

Every application needs configuration: database connection strings, feature flags, log levels, TLS certificates. The naive approach is baking these into the container image, either as files in the filesystem or as hardcoded defaults. That works until you need to deploy the same image to staging and production with different settings, or rotate a database password without rebuilding.

Kubernetes solves this with two objects: ConfigMap for non-sensitive data and Secret for credentials. The mechanics are similar — create the object, reference it in a Pod spec, and the kubelet injects the values either as environment variables or as files on a mounted volume — but the two objects differ in how Kubernetes handles them at the node level, and the choice between injection methods has real consequences for update propagation, security exposure, and startup behavior.