Concating values from configMap and secret
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
In Kubernetes, combining values from a ConfigMap and a Secret is a common requirement for building connection strings or application settings. Kubernetes does not provide direct string concatenation inside manifest field values. The usual solution is to inject separate environment variables and compose them at container startup.
Inject ConfigMap and Secret Values Separately
First, load each value into its own environment variable.
This keeps secret and non-secret configuration clearly separated.
Compose Values in the Startup Command
Build the final value at runtime in the shell command or entrypoint script.
Do not print raw secrets in logs. The masking command above is only for demonstration.
Use an Entrypoint Script for Complex Logic
For larger applications, put composition logic in a script file. This keeps manifests readable and easier to review.
Mount the script from your image or a ConfigMap and use it as the container command.
Alternative: Projected Volume and App-Side Composition
Another approach is mounting ConfigMap and Secret files and letting the app combine them at runtime. This avoids shell-specific behavior and keeps logic in application code.
This is useful when startup logic is complex or multiple services share the same composition rule.
Security and Rotation Considerations
Keep Secret data minimal and rotate credentials regularly. If your platform supports external secret managers, sync into Kubernetes as late as possible. Also ensure RBAC limits who can read Secret objects, and avoid embedding combined connection strings into ConfigMaps because that can leak sensitive data to broader audiences.
Init Container Pattern for Derived Values
If multiple containers in a pod need the same derived value, use an init container to compose it once and write it to a shared volume file.
Main containers can read /config/runtime.env consistently. This avoids duplicate composition logic in multiple entrypoints.
Document this contract so platform and application teams keep configuration responsibilities aligned.
Common Pitfalls
A frequent pitfall is trying to concatenate variables directly in the env.value field, expecting shell expansion where it does not happen. Another issue is storing concatenated secret-containing values in ConfigMaps, which weakens separation and access control. Teams also sometimes echo full connection strings during startup diagnostics, exposing credentials in logs. Finally, if an app reads values before entrypoint composition runs, configuration may appear missing. Ensure initialization order is explicit and tested.
Summary
- Kubernetes does not natively concatenate ConfigMap and Secret values in manifests.
- Inject values separately and compose them at startup.
- Use entrypoint scripts for readable and reusable composition logic.
- Prefer app-side composition when logic is complex.
- Protect secrets by avoiding raw logging and loose access policies.

