Kubernetes ConfigMaps and Secrets with Spring Boot

Managing configuration and sensitive data is a crucial part of deploying secure, production-grade microservices. In Kubernetes, ConfigMaps and Secrets allow you to externalize configuration and keep sensitive data out of source code.

In this guide, you’ll learn how to:

  • Create ConfigMaps and Secrets
  • Inject them into a Spring Boot application
  • Access them via environment variables and mounted files
  • Follow best practices for security and flexibility

This tutorial uses a sample Spring Boot app with the package:
com.kscodes.springboot.containers

Kubernetes ConfigMaps and Secrets with Spring Boot

🧰 Prerequisites

  • Kubernetes cluster (Minikube, GKE, EKS, or AKS)
  • Docker image of Spring Boot app
  • kubectl CLI
  • Basic YAML and Spring Boot familiarity

🚀 Step 1: Sample Spring Boot Code

Here’s a basic Spring Boot controller that reads config values.


package com.kscodes.springboot.containers;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class ConfigController {

    @Value("${app.config.value:default-config}")
    private String configValue;

    @Value("${app.secret.value:default-secret}")
    private String secretValue;

    @GetMapping("/config")
    public String getConfig() {
        return "Config: " + configValue + " | Secret: " + secretValue;
    }
}

Make sure your application.properties allows external config override:


# src/main/resources/application.properties
app.config.value=${app.config.value}
app.secret.value=${app.secret.value}

🧾 Step 2: Create ConfigMap

You can create a ConfigMap from a file or inline.

Option A: Inline YAML


# configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  app.config.value: "This is a ConfigMap value"

Option B: From File


echo "app.config.value=This is a file-based ConfigMap value" > app-config.properties
kubectl create configmap app-config --from-file=app-config.properties

Apply if using YAML:


kubectl apply -f configmap.yaml

🔐 Step 3: Create Kubernetes Secret

Use base64-encoded data if you’re using YAML.


# secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: app-secret
type: Opaque
data:
  app.secret.value: VGhpcyBpcyBhIHNlY3JldCB2YWx1ZQ==  # "This is a secret value"

To create manually:


kubectl create secret generic app-secret \
  --from-literal=app.secret.value="This is a secret value"

📦 Step 4: Update Deployment YAML

Here’s how to inject both ConfigMap and Secret into your Spring Boot container:


# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: springboot-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: springboot
  template:
    metadata:
      labels:
        app: springboot
    spec:
      containers:
        - name: springboot
          image: kscodes/springboot-k8s-app
          ports:
            - containerPort: 8080
          env:
            - name: app.config.value
              valueFrom:
                configMapKeyRef:
                  name: app-config
                  key: app.config.value
            - name: app.secret.value
              valueFrom:
                secretKeyRef:
                  name: app-secret
                  key: app.secret.value

Apply it:


kubectl apply -f deployment.yaml

🧪 Step 5: Test the Setup

Once deployed, access your Spring Boot app:


kubectl get svc

Use the IP/port or tunnel to access /config:


GET http:///config

You should see:


Config: This is a ConfigMap value | Secret: This is a secret value

🛡️ Bonus: Mount as Files (Alternative)

You can also mount ConfigMap/Secret as files:


volumeMounts:
  - name: config-volume
    mountPath: /etc/config

volumes:
  - name: config-volume
    configMap:
      name: app-config

Then read from the mounted file using Spring’s @ConfigurationProperties or directly via file path.

⚙️ Best Practices

PracticeWhy It Matters
Use Secrets for passwords/tokensBase64 encoding adds a layer of safety
Do not commit Secrets to GitUse .gitignore for secret YAMLs
Avoid storing config in the imageKeeps builds reusable and generic
Use RBAC to restrict accessLimit who can read Secrets

📘 Summary

In this guide, you learned how to use Kubernetes ConfigMaps and Secrets with Spring Boot to inject dynamic and sensitive configuration into your containers. You saw how to use both environment variables and file-based mounts, and followed best practices for secure, maintainable deployments.

This is a core building block of 12-factor Spring Boot apps on Kubernetes.