Microservicessystem_design~7 mins

ConfigMaps and Secrets in Microservices - System Design Guide

Choose your learning style9 modes available

Learn Why Deep Arch Practice Challenge Design Recall Scale

Problem Statement

Hardcoding configuration data and sensitive information like passwords inside application code or container images causes security risks and operational inflexibility. When configuration changes, redeploying the entire application is slow and error-prone, and leaking secrets can compromise the whole system.

Solution

ConfigMaps and Secrets separate configuration data and sensitive information from application code by storing them externally and injecting them into containers at runtime. ConfigMaps hold non-sensitive configuration as key-value pairs, while Secrets store sensitive data encrypted or base64-encoded. This allows dynamic updates without rebuilding images and improves security by controlling access separately.

Architecture

ConfigMap

(non-sensitive

→Kubernetes

↓

Secret

(sensitive

→Kubernetes

This diagram shows how ConfigMaps and Secrets are stored in Kubernetes and injected into application containers via the API server at runtime.

Trade-offs

✓ Pros

→

Separates configuration and secrets from application code, enabling safer and faster updates.

→

Supports dynamic configuration changes without rebuilding or redeploying containers.

→

Improves security by controlling access to secrets separately from application code.

→

Standardized Kubernetes resources simplify management and integration with orchestration.

✗ Cons

→

Secrets stored in Kubernetes are base64-encoded by default, which is not strong encryption without additional measures.

→

Managing secret rotation and access policies adds operational complexity.

→

Applications must be designed to reload configuration dynamically or restart to pick up changes.

Use when deploying microservices on Kubernetes or similar orchestrators that support externalized configuration and secrets, especially at scale with frequent config changes or sensitive data.

Avoid if running simple, single-instance applications without orchestration or if the platform does not support external config injection, or when secrets require hardware-backed encryption not provided by the orchestrator.

Real World Examples

Netflix

Uses Kubernetes Secrets to securely manage API keys and credentials for their microservices, enabling dynamic updates without redeploying services.

Spotify

Employs ConfigMaps to manage feature flags and environment-specific settings across their containerized services, allowing rapid configuration changes.

Airbnb

Leverages Kubernetes Secrets integrated with external vaults to protect sensitive user data and service credentials in their microservices architecture.

Code Example

This example shows how hardcoded configuration and secrets inside the code are replaced by environment variables injected at runtime. This enables external management of configuration and secrets, improving security and flexibility.

Microservices

### Before: Hardcoded configuration and secrets inside code
class Service:
    def __init__(self):
        self.db_host = "db.example.com"
        self.db_user = "admin"
        self.db_password = "password123"  # Hardcoded secret

    def connect(self):
        # Connect to database using above credentials
        pass


### After: Configuration and secrets injected via environment variables
import os

class Service:
    def __init__(self):
        self.db_host = os.getenv("DB_HOST")
        self.db_user = os.getenv("DB_USER")
        self.db_password = os.getenv("DB_PASSWORD")  # Injected secret

    def connect(self):
        # Connect to database using injected credentials
        pass

OutputSuccess

Alternatives

Environment Variables

Injects configuration and secrets directly as environment variables inside containers instead of using Kubernetes resources.

Use when: Use for simple applications or when orchestration support for ConfigMaps/Secrets is unavailable.

External Secret Management Systems

Stores secrets outside the orchestrator in dedicated vaults like HashiCorp Vault or AWS Secrets Manager, accessed at runtime.

Use when: Choose when stronger encryption, audit logging, and secret rotation policies are required beyond Kubernetes native capabilities.

Embedded Configuration Files

Bundles configuration files inside container images or mounts them via volumes instead of using ConfigMaps.

Use when: Use when configuration rarely changes and external management overhead is not justified.

Summary

ConfigMaps and Secrets separate configuration and sensitive data from application code in microservices.

They enable dynamic updates and improve security by managing data externally and injecting it at runtime.

Proper use requires understanding their differences and designing applications to handle configuration changes.