Lesson 6 · Workloads, config & networking
ConfigMaps & Secrets
Getting configuration and credentials into a Pod — without baking them into the image.
Your win: explain what ConfigMaps and Secrets are, the two ways to consume them (env vars vs mounted files), the crucial caveat that Secrets aren't encrypted by default — and how this repo closes that gap with SOPS.
Config belongs outside the image
Course 1's env×org model made the rule concrete: one image runs in every cell, and only the config differs. Kubernetes gives you two objects to inject that config at runtime:
- ConfigMap — non-sensitive config as key-value pairs (URLs, flags, tuning).1
- Secret — the same shape, but for sensitive data (passwords, keys, tokens).2
Either can be consumed two ways: as environment variables (Lesson 3's env, Course 1 L3) or as files mounted into the container via a volume.
How this repo does it — SOPS, decrypted in-process
{svc}.common.config.yaml plus the per-vendor/env
{svc}.config.yaml (the env×org values from Course 1). Secrets come from
_secret.tpl:9 (type: Opaque), built from
SOPS-encrypted files matched by secrets/{vendor}/{env}/*.encrypted.yaml (:31-33).
--secretsPath=…encrypted.yaml
(_workload_containers.tpl:36) so it
decrypts SOPS in-process at startup, authenticating to GCP KMS via
Workload Identity. (Only Hasura uses a SOPS init container.) So the plaintext never
lands in etcd or a file — the K8s Secret gap is sidestepped entirely. The mechanics of SOPS
are Course 3.
Kubernetes docs — ConfigMaps & Secrets
How each is defined, the env-var vs mounted-file consumption models, and the base64/at-rest caveats for Secrets.
Check yourself (from memory)
Q1. A Kubernetes Secret, by default, is…
Q2. The two ways to consume a ConfigMap/Secret in a Pod are…
Q3. In this repo, the app's secrets are…
--secretsPath). No sidecar, no plaintext at rest.
_configmap.tpl:9 (common + env×org config); Secret from
_secret.tpl:9 (Opaque) built from SOPS-encrypted
*.encrypted.yaml. TWIST: no decrypt sidecar for the app — the encrypted file is
mounted read-only and the server is passed --secretsPath and DECRYPTS SOPS
IN-PROCESS via GCP KMS/Workload Identity, so plaintext never hits etcd/disk. A config/secret
CHECKSUM annotation on the pod template auto-rolls pods on change.envFrom and a projected volume, or how
Workload Identity lets the pod reach KMS without keys? Ask me.
2. Kubernetes — Secrets (base64, at-rest caveats).