Managing configuration and sensitive data is a crucial part of deploying secure, production-grade microservices. In Kubernetes, ConfigMaps and Secrets allow you to externalize configuration and keep sensitive data out of source code.
In this guide, you’ll learn how to:
- Create ConfigMaps and Secrets
- Inject them into a Spring Boot application
- Access them via environment variables and mounted files
- Follow best practices for security and flexibility
This tutorial uses a sample Spring Boot app with the package:com.kscodes.springboot.containers
🧰 Prerequisites
- Kubernetes cluster (Minikube, GKE, EKS, or AKS)
- Docker image of Spring Boot app
kubectlCLI- Basic YAML and Spring Boot familiarity
🚀 Step 1: Sample Spring Boot Code
Here’s a basic Spring Boot controller that reads config values.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
package com.kscodes.springboot.containers; import org.springframework.beans.factory.annotation.Value; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RestController; @RestController public class ConfigController { @Value("${app.config.value:default-config}") private String configValue; @Value("${app.secret.value:default-secret}") private String secretValue; @GetMapping("/config") public String getConfig() { return "Config: " + configValue + " | Secret: " + secretValue; } } |
Make sure your application.properties allows external config override:
|
1 2 3 4 5 6 |
# src/main/resources/application.properties app.config.value=${app.config.value} app.secret.value=${app.secret.value} |
🧾 Step 2: Create ConfigMap
You can create a ConfigMap from a file or inline.
Option A: Inline YAML
|
1 2 3 4 5 6 7 8 9 10 |
# configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: app-config data: app.config.value: "This is a ConfigMap value" |
Option B: From File
|
1 2 3 4 5 |
echo "app.config.value=This is a file-based ConfigMap value" > app-config.properties kubectl create configmap app-config --from-file=app-config.properties |
Apply if using YAML:
|
1 2 3 4 |
kubectl apply -f configmap.yaml |
🔐 Step 3: Create Kubernetes Secret
Use base64-encoded data if you’re using YAML.
|
1 2 3 4 5 6 7 8 9 10 11 |
# secret.yaml apiVersion: v1 kind: Secret metadata: name: app-secret type: Opaque data: app.secret.value: VGhpcyBpcyBhIHNlY3JldCB2YWx1ZQ== # "This is a secret value" |
To create manually:
|
1 2 3 4 5 |
kubectl create secret generic app-secret \ --from-literal=app.secret.value="This is a secret value" |
📦 Step 4: Update Deployment YAML
Here’s how to inject both ConfigMap and Secret into your Spring Boot container:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
# deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: springboot-app spec: replicas: 1 selector: matchLabels: app: springboot template: metadata: labels: app: springboot spec: containers: - name: springboot image: kscodes/springboot-k8s-app ports: - containerPort: 8080 env: - name: app.config.value valueFrom: configMapKeyRef: name: app-config key: app.config.value - name: app.secret.value valueFrom: secretKeyRef: name: app-secret key: app.secret.value |
Apply it:
|
1 2 3 4 |
kubectl apply -f deployment.yaml |
🧪 Step 5: Test the Setup
Once deployed, access your Spring Boot app:
|
1 2 3 4 |
kubectl get svc |
Use the IP/port or tunnel to access /config:
|
1 2 3 4 |
GET http://<EXTERNAL_IP>/config |
You should see:
|
1 2 3 4 |
Config: This is a ConfigMap value | Secret: This is a secret value |
🛡️ Bonus: Mount as Files (Alternative)
You can also mount ConfigMap/Secret as files:
|
1 2 3 4 5 6 7 8 9 10 11 |
volumeMounts: - name: config-volume mountPath: /etc/config volumes: - name: config-volume configMap: name: app-config |
Then read from the mounted file using Spring’s @ConfigurationProperties or directly via file path.
⚙️ Best Practices
| Practice | Why It Matters |
|---|---|
| Use Secrets for passwords/tokens | Base64 encoding adds a layer of safety |
| Do not commit Secrets to Git | Use .gitignore for secret YAMLs |
| Avoid storing config in the image | Keeps builds reusable and generic |
| Use RBAC to restrict access | Limit who can read Secrets |
📘 Summary
In this guide, you learned how to use Kubernetes ConfigMaps and Secrets with Spring Boot to inject dynamic and sensitive configuration into your containers. You saw how to use both environment variables and file-based mounts, and followed best practices for secure, maintainable deployments.
This is a core building block of 12-factor Spring Boot apps on Kubernetes.