Skip to content

Chapter 15 · Initiate Tutorials

Ingress, Config, and Secrets

Gates and vaults: expose carefully, configure clearly, and treat secrets as hazardous material.

Ingress basics

Ingress is a contract interpreted by a controller.

Ingress objects define routes for HTTP(S) traffic. But you need an Ingress Controller running in your cluster (e.g., NGINX Ingress, Traefik). Without a controller, Ingress rules do nothing.

Ingress example

yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: web
spec:
  ingressClassName: nginx
  rules:
    - host: example.local
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: web
                port:
                  number: 80

ConfigMaps

Non-secret configuration that can be mounted or injected as env vars.

ConfigMap example

yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  LOG_LEVEL: "info"
  FEATURE_FLAG_NEW_UI: "false"

ConfigMaps are not encrypted. Treat them as non-sensitive, or use them only for configuration that is safe to disclose.

Secrets (with caveats)

Sensitive configuration that must still be handled carefully.

Kubernetes Secrets are base64-encoded; encryption at rest depends on your cluster configuration. Do not assume Secrets are “safe” by default. Avoid committing them to Git. Use external secret managers when appropriate.

Secret example (stringData)

yaml

apiVersion: v1
kind: Secret
metadata:
  name: app-secret
type: Opaque
stringData:
  DATABASE_URL: "postgres://user:password@db:5432/app"