Guides

Platform guide

Cloud-Native Configuration and Secrets: Secure, Observable, and Portable

External configuration is a Twelve-Factor principle; a usable cloud-native implementation adds ownership, validation, access control, rotation, and safe operational evidence.

Configuration tells a service where and how to run. Secrets authorize it to do so. Both change independently from application code, and both can cause an outage or data exposure when treated as incidental deployment details. The goal is not simply to put values in environment variables. It is to create an explicit, auditable contract between an application and its runtime.

Kubernetes ConfigMaps and Secrets are useful distribution mechanisms, but they are not a complete secret-management strategy. A Kubernetes Secret is encoded, not automatically encrypted end-to-end, and its security depends on API-server encryption configuration, RBAC, admission controls, node access, and the surrounding delivery pipeline.

Separate configuration by sensitivity and behavior

Classify every runtime value before choosing how to deliver it:

  • Public operational configuration: ports, log levels, feature defaults, regions, and non-sensitive endpoints.
  • Sensitive configuration: API keys, database passwords, signing material, OAuth client secrets, and private certificates.
  • Policy configuration: rate limits, cache behavior, allowed origins, and routing rules that can change security or latency behavior.
  • Identity configuration: workload identity, service account, role, audience, and trust domain.

This classification prevents two bad defaults: storing every value in source control because it is convenient, or treating every setting as a secret and making ordinary troubleshooting impossible. Use names that express intent, define acceptable formats and ranges, and document an owner for each value.

Make configuration a typed startup contract

Read configuration once during startup, parse it into a typed structure, and fail clearly for missing required values or invalid combinations. Redact sensitive names and values in errors. A service that silently substitutes an unsafe default may appear healthy while sending traffic to the wrong endpoint or disabling a critical control.

Keep configuration orthogonal. Prefer individual values such as PAYMENTS_TIMEOUT_MS and EDGE_CACHE_TTL_SECONDS over a single environment label with implicit behavior. Environment names are still useful for selecting a deployment, but they should not conceal the values that determine correctness.

Version configuration changes like code. Review high-impact changes, test them in a representative environment, and record which release used which configuration revision. When a latency regression follows a deployment, engineers need to distinguish a new image from a changed timeout, cache key, or upstream endpoint.

Use Kubernetes primitives with their limits in mind

Mount a ConfigMap or Secret as a volume when an application can reload file-based configuration safely. Environment variables are simple, but an already-running process does not receive a changed value. Volume-projected content may update eventually, but the application must detect and validate the change; never assume this makes every setting dynamically reloadable.

Avoid broad envFrom imports for production services. They make the effective contract invisible and allow an unrelated key to alter a runtime. Reference exact keys, scope configuration per workload, and avoid putting secrets in command-line arguments, annotations, labels, or debug endpoints.

Use namespaced RBAC and grant workloads only the ability to read the specific resources they need, ideally through a controller or external secret integration rather than direct broad API access. Limit who can read Secret objects, who can create pods that mount them, and who can inspect CI logs or deployment manifests. A subject that can create a pod with another workload's service account can often obtain that workload's access.

Base64 is encoding, not encryption

Kubernetes Secret data is base64-encoded in manifests. Protect it with encryption at rest for the API server, narrowly scoped RBAC, secure backups, and access reviews. Do not commit real Secret manifests or decoded values to a repository.

Prefer short-lived workload identity

Where your cloud platform supports it, let a workload authenticate as its own identity and exchange short-lived credentials for the resource it needs. This reduces the blast radius and rotation burden of long-lived static keys. Bind identity to the correct namespace and service account, constrain the audience and role, and test what happens when token renewal or the identity provider is unavailable.

Static secrets remain necessary for some systems. Keep them in a dedicated secrets manager, deliver them just in time where possible, rotate them on a tested schedule, and support overlapping credentials during rotation. A rotation that changes the server first and clients later can create a widespread availability event.

A safe rotation sequence

  1. Create a new credential with the minimum required permission.
  2. Distribute it through the approved secret path while retaining the old credential.
  3. Reload or roll workloads in controlled batches and verify authentication success, latency, and error rate.
  4. Revoke the old credential after all consumers have moved and the overlap window has elapsed.
  5. Audit access and document the result without recording secret material.

For TLS certificates, coordinate issuance, deployment, reload, and expiry monitoring. A certificate change at an ingress or edge may need a different procedure from an application-to-database credential.

Keep changes from becoming latency incidents

Configuration can create performance regressions. A lower connection-pool limit increases wait time; a shorter upstream timeout can turn slow requests into errors; an incorrect cache vary rule can leak personalized responses or destroy cache hit ratio. Define a latency and availability budget for critical values, test the values under load, and roll out changes progressively.

Keep origin endpoints private where possible and configure the edge-to-origin trust path independently from public client configuration. Do not distribute an origin address or bypass credential to browser code. When routing, caching, or failover configuration changes, validate cacheability, authorization, TLS, health checks, and request correlation from edge through origin.

Observe configuration without exposing it. Emit a configuration revision, release digest, feature flag state where non-sensitive, and secret version identifier or rotation timestamp where permitted. Do not log the actual secret, full connection string, authorization header, or signed URL. These identifiers make it possible to associate a rise in p99 latency or authentication failures with a change.

Common pitfalls

  • Secrets in images or Git history: deleting a file does not revoke a leaked key. Rotate it and scan image layers, repositories, CI artifacts, and logs.
  • One shared production secret: it prevents attribution and makes rotation risky. Issue separate credentials per service and environment.
  • Configuration reload without validation: a partially written or malformed value can break every replica. Validate before activation and retain the last known-good configuration when the application supports reload.
  • Debug access that reveals environment variables: process inspection, crash dumps, and support bundles can expose credentials. Redact by default and restrict diagnostic access.
  • Secrets available to every pod in a namespace: namespace isolation alone is not least privilege. Review RBAC and pod-creation rights together.

Operational checklist

For each service, document the complete configuration schema, sensitivity classification, source of truth, owner, consumer identity, rotation procedure, reload behavior, and monitoring signal. Test a missing value, invalid value, revoked credential, rotation overlap, secret-store outage, and rollback. Include the deployment system and backups in the threat model: a secure runtime cannot compensate for plaintext CI artifacts or overly broad cluster administration.

Authoritative references

Keep delivery configuration safe and measurable

Talk to Optimi about edge-to-origin configuration, caching controls, and resilient traffic-delivery architecture.

Review configuration architecture