Kubernetes Secrets vs ConfigMaps

Question

Have been using Kubernetes secrets up to date. Now we have ConfigMaps as well.

What is the preferred way forward - secrets or config maps?

P.S. After a few i

Answer 1

Both, ConfigMaps and Secrets store data as a key value pair. The major difference is, Secrets store data in base64 format meanwhile ConfigMaps store data in a plain text.

If you have some critical data like, keys, passwords, service accounts credentials, db connection string, etc then you should always go for Secrets rather than Configs.

And if you want to do some application configuration using environment variables which you don't want to keep secret/hidden like, app theme, base platform url, etc then you can go for ConfigMaps

Answer 2

I'm the author of both of these features. The idea is that you should:

1. Use secrets for things which are actually secret like API keys, credentials, etc
2. Use config map for not-secret configuration data

In the future there will likely be some differentiators for secrets like rotation or support for backing the secret API w/ HSMs, etc. In general we like intent-based APIs, and the intent is definitely different for secret data vs. plain old configs.

Hope that helps.

Answer 3

One notable difference in the implementation is that kubectl apply -f:

• ConfigMaps are "unchanged" if the data hasn't changed.
• Secrets are always "configured" - even if the file hasn't changed