Lesson 11: Secrets and the twelve-factor principle
In the previous lesson we met the ConfigMap — a place to keep non-sensitive settings outside the image. But what do you do with a database password or an API token? Those are things not everyone should see, and certainly must never be stored inside the code or pushed to Git. That is what a Secret is
A ConfigMap is an open shelf everyone can see; a Secret is a locked drawer for private things. Just note — locking the drawer (base64) does not make what is inside unreadable, it only puts it where you need a key to get in.
- Secret
- A Kubernetes object for storing sensitive data (passwords, tokens) separately from the image and the code. Stored in base64 and protected by access control — not by encryption by default.
- Twelve-Factor
- A methodology for building applications. A core principle: keep all configuration in the environment, strictly separated from the code, so the same build runs in every environment.
- base64
- An encoding scheme that represents binary data as text. It is not encryption: anyone can decode base64 back to the original value with no key at all.
- ConfigMap
- An object for storing non-sensitive settings (key/value), injected into a container as environment variables or files. The "open" counterpart of a Secret.
- Environment Variable
- A named value available to a process at runtime. A common way to inject configuration — from a ConfigMap or a Secret — into the application without changing the code.