Skip to main content

Overview

ConfigMaps and Secrets store configuration data and sensitive information used by your applications. Orphelix provides both table and grid views for easy management and tracks which resources use each ConfigMap or Secret. ConfigMaps and Secrets

ConfigMaps

What are ConfigMaps?

ConfigMaps store non-confidential configuration data in key-value pairs. They decouple configuration from container images, making applications more portable. Common Use Cases:
  • Application configuration files
  • Environment variables
  • Command-line arguments
  • Configuration properties
  • Feature flags

List View

Table View

Traditional table format with sorting and filtering

Grid View

Card-based layout for better visualization
Table Columns:
  • Name: ConfigMap name (clickable)
  • Data Keys: Number of key-value pairs
  • Age: Time since creation
  • Usage: Number of resources using this ConfigMap
  • Actions: View, Edit, Delete

Detail View

Click any ConfigMap name to view details:
1

Metadata

  • Name: ConfigMap identifier
  • Namespace: Current namespace
  • Labels: Key-value labels
  • Annotations: Metadata annotations
  • Created: Creation timestamp
2

Data

All key-value pairs stored in the ConfigMap:ConfigMap Data
  • Key: Configuration key name
  • Value: Configuration value (can be multi-line)
  • Size: Value size in bytes
Values are displayed with syntax highlighting for YAML, JSON, XML, and properties files
3

Usage Tracking

Shows which resources reference this ConfigMap:
  • Deployments: As volumes or environment variables
  • StatefulSets: Configuration mounts
  • DaemonSets: Node-specific config
  • Pods: Direct references
Click resource names to navigate to their detail pages
4

Events

Recent events related to this ConfigMap:
  • Created
  • Updated
  • Mounted by pod
  • Mount failures

Creating ConfigMaps

ConfigMaps can be created from:
Create from command-line literals:
kubectl create configmap app-config \
  --from-literal=database.host=postgres \
  --from-literal=database.port=5432 \
  --from-literal=log.level=info
Result:
data:
  database.host: postgres
  database.port: "5432"
  log.level: info

Using ConfigMaps

ConfigMaps can be consumed by pods in several ways:

As Environment Variables

Import all ConfigMap keys as environment variables:
envFrom:
- configMapRef:
    name: app-config
Creates one env var per key

As Volume Mounts

Mount ConfigMap as files in pod: 
volumes:
- name: config
  configMap:
    name: app-config
    items:  # Optional: select specific keys
    - key: application.yaml
      path: app-config.yaml

containers:
- name: app
  volumeMounts:
  - name: config
    mountPath: /etc/config
    readOnly: true
Files appear at:
  • /etc/config/application.yaml
  • /etc/config/database.host
  • /etc/config/database.port
ConfigMap updates propagate to mounted volumes after a delay (kubelet sync period). Pods don’t automatically restart - you must restart them to use new values.

Grid View

Alternative card-based layout for ConfigMaps: ConfigMap Grid View Card Contents:
  • ConfigMap name
  • Number of data keys
  • Age
  • Used by X resources (badge)
  • Quick actions menu
Benefits:
  • Better for browsing many ConfigMaps
  • Visual grouping by namespace
  • Quick access to most-used ConfigMaps

Secrets

What are Secrets?

Secrets store sensitive information like passwords, tokens, and keys. They’re similar to ConfigMaps but designed for confidential data.
Secrets are only base64-encoded, not encrypted. Use encryption at rest and RBAC to secure them properly.
Common Use Cases:
  • Database credentials
  • API keys and tokens
  • TLS certificates
  • SSH keys
  • Docker registry credentials
  • OAuth tokens

Secret Types

Generic secret for arbitrary data (default type)
apiVersion: v1
kind: Secret
metadata:
  name: db-secret
type: Opaque
data:
  username: YWRtaW4=  # base64 encoded
  password: cGFzc3dvcmQ=
TLS certificate and private key
apiVersion: v1
kind: Secret
metadata:
  name: tls-secret
type: kubernetes.io/tls
data:
  tls.crt: <base64-encoded-cert>
  tls.key: <base64-encoded-key>
Used by Ingress for HTTPS
Docker registry credentials
apiVersion: v1
kind: Secret
metadata:
  name: regcred
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: <base64-encoded-config>
Used in imagePullSecrets
Basic authentication credentials
apiVersion: v1
kind: Secret
metadata:
  name: basic-auth
type: kubernetes.io/basic-auth
data:
  username: <base64-username>
  password: <base64-password>
SSH private key
apiVersion: v1
kind: Secret
metadata:
  name: ssh-key
type: kubernetes.io/ssh-auth
data:
  ssh-privatekey: <base64-key>
ServiceAccount token (auto-created)Automatically created for each ServiceAccount

List View

Same table and grid views as ConfigMaps: Table Columns:
  • Name: Secret name
  • Type: Secret type (Opaque, TLS, etc.)
  • Data Keys: Number of keys
  • Age: Time since creation
  • Usage: Resources using this Secret
Secret values are never displayed in the list view for security

Detail View

1

Metadata

  • Name: Secret identifier
  • Type: Secret type
  • Namespace: Current namespace
  • Labels & Annotations: Metadata
  • Created: Creation timestamp
2

Data

Keys are displayed, but values are masked for security:Secret Data (Masked)
  • Key: Data key name
  • Value: •••••••• (masked)
  • Size: Value size in bytes
Secret values are intentionally hidden in Orphelix UI. Use kubectl to view them if needed.
3

Usage Tracking

Shows which resources reference this Secret (same as ConfigMaps)
4

Events

Secret-related events (creation, mounting, errors)

Creating Secrets

Create from command-line:
kubectl create secret generic db-secret \
  --from-literal=username=admin \
  --from-literal=password='S3cr3t!'

Using Secrets

As Environment Variables

env:
- name: DB_USERNAME
  valueFrom:
    secretKeyRef:
      name: db-secret
      key: username
- name: DB_PASSWORD
  valueFrom:
    secretKeyRef:
      name: db-secret
      key: password
Environment variables are visible in pod spec. Use volume mounts for highly sensitive data.

As Volume Mounts

volumes:
- name: secrets
  secret:
    secretName: db-secret
    items:
    - key: username
      path: db-username
    - key: password
      path: db-password

containers:
- name: app
  volumeMounts:
  - name: secrets
    mountPath: /etc/secrets
    readOnly: true
Files appear at:
  • /etc/secrets/db-username
  • /etc/secrets/db-password

As ImagePullSecrets

For private container registries: 
spec:
  imagePullSecrets:
  - name: regcred
  containers:
  - name: app
    image: registry.example.com/app:latest

Usage Tracking

Orphelix tracks which resources use each ConfigMap or Secret: Config Usage Tracking Tracking Information:
  • Resource Type: Deployment, StatefulSet, Pod, etc.
  • Resource Name: Specific resource using config
  • Mount Type: Environment variable or volume
  • Keys Used: Which keys are referenced
  • Path: Mount path (for volumes)
Benefits:
  • Identify unused ConfigMaps/Secrets
  • Find dependencies before deletion
  • Audit configuration usage
  • Plan configuration updates
Before deleting a ConfigMap/Secret, check the usage section to ensure no resources depend on it

Best Practices

Never store credentials in ConfigMaps - always use Secrets
Configure Kubernetes to encrypt Secrets in etcd:
# EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
  - secrets
  providers:
  - aescbc:
      keys:
      - name: key1
        secret: <base64-key>
Limit who can read Secrets:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list"]
Update secrets periodically and restart pods to use new values
Consider tools like:
  • AWS Secrets Manager
  • HashiCorp Vault
  • Azure Key Vault
  • Google Secret Manager
With operators like External Secrets Operator
Create secrets in the same namespace as pods using them
Use labels/annotations to document secret purpose and key meanings

Troubleshooting

Pod Can’t Mount ConfigMap/Secret

Symptom: Pod stuck in ContainerCreating Check Events: 
MountVolume.SetUp failed: configmap "app-config" not found
Solutions:
  1. Verify ConfigMap/Secret exists: kubectl get configmap app-config
  2. Check namespace - must be same as pod
  3. Verify name spelling in pod spec
  4. Check RBAC permissions

Application Not Using Updated Config

Symptom: Config changes don’t take effect Reasons:
  1. Environment Variables: Don’t update automatically - must restart pod
  2. Volume Mounts: Update after sync period (up to 1 minute + cache TTL)
  3. Application Cache: App may cache config internally
Solutions:
  • Restart deployment: kubectl rollout restart deployment/app
  • Use ConfigMap/Secret update strategy with versioned names
  • Implement file watch in application

Secret Values Not Working

Symptom: Application authentication fails Check:
  1. Base64 Encoding: Ensure values are properly encoded 
    echo -n 'mypassword' | base64
# Result: bXlwYXNzd29yZA==
  2. No Trailing Newlines: Use echo -n to avoid newlines
  3. Special Characters: Quote complex passwords in manifests
  4. Key Names: Verify key names match application expectations

Next Steps

Deployments

See how to use ConfigMaps in deployments

Pods

View which pods use configurations

Topology

Visualize configuration relationships

GitHub Integration

Edit configs with GitOps workflow