Managing Application Configurations and Secrets

Many applications require configuration settings and secrets such as TLS certificates to run in a production environment. In this chapter you will learn how to:

  • Create secrets to store sensitive application data

  • Create configmaps to store application configuration data

  • Expose secrets and configmaps to Pods at runtime

In this chapter we will create a new Pod named secure-monolith based on the healthy-monolith Pod. The secure-monolith Pod secures access to the monolith container using Nginx, which will serve as a reverse proxy serving HTTPS.

The nginx container will be deployed in the same pod as the monolith container because they are tightly coupled.

Tutorial: Creating Secrets

Before we can use the nginx container to serve HTTPS traffic we need some TLS certificates. In this tutorial you will store a set of self-signed TLS certificates in Kubernetes as secrets.

Create the tls-certs secret from the TLS certificates stored under the tls directory:

kubectl create secret generic tls-certs --from-file=manifests/app/tls/

Examine the tls-certs secret:

kubectl describe secrets tls-certs

Note: You can also explore Secrets and ConfigMaps in GKE console, from the Configuration menu.


  • How many items are stored under the tls-certs secret?

  • What are key the names?

Tutorial: Creating Configmaps

The nginx container also needs a configuration file to setup the secure reverse proxy. In this tutorial you will create a configmap from the proxy.conf nginx configuration file.

Create the nginx-proxy-conf configmap based on the proxy.conf nginx configuration file:

kubectl create configmap nginx-proxy-conf --from-file=manifests/app/nginx/proxy.conf

Examine the nginx-proxy-conf configmap:

kubectl describe configmaps nginx-proxy-conf


  • How many items are stored under the nginx-proxy-conf configmap?

  • What are the key names?

Tutorial: Use Configmaps and Secrets

In this tutorial you will expose the nginx-proxy-conf configmap and the tls-certs secrets to the secure-monolith pod at runtime:

Examine the secure-monolith pod configuration file manifests/app/pods/secure-monolith.yaml

Notice: * ConfigMap and Secret attached as volumes at the pod levels * Mount of these volumes in the nginx container


  • How are secrets exposed to the secure-monolith Pod?

  • How are configmaps exposed to the secure-monolith Pod?

Create the secure-monolith Pod using kubectl:

kubectl apply -f manifests/app/pods/secure-monolith.yaml

Test the HTTPS endpoint

Forward local port 10443 to 443 of the secure-monolith Pod:

kubectl port-forward secure-monolith 10443:443

Use the curl command to test the HTTPS endpoint:

curl --cacert manifests/app/tls/ca.pem

Use the kubectl logs command to verify traffic to the secure-monolith Pod:

kubectl logs -c nginx secure-monolith


Secrets and Configmaps allow you to store application secrets and configuration data, then expose them to Pods at runtime. In this chapter you learned how to expose Secrets and Configmaps to Pods using volume mounts. You also learned how to run multiple containers in a single Pod.