Yandex Cloud
Search
Discuss with expertTry it for free
  • Customer Stories
  • Documentation
  • Blog
  • All Services
  • System Status
  • Marketplace
    • Featured
    • Infrastructure & Network
    • Data Platform
    • AI for business
    • Security
    • DevOps tools
    • Serverless
    • Monitoring & Resources
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Start testing with double trial credits
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Center for Technologies and Society
    • Yandex Cloud Partner program
    • Price calculator
    • Pricing plans
  • Customer Stories
  • Documentation
  • Blog
© 2026 Direct Cursus Technology L.L.C.
Yandex Cloud Stackland
  • What's new
  • Installation
    • All tutorials
    • Installing Stackland on Yandex BareMetal
    • Installing Stackland on Yandex Cloud VMs
    • Setting up external access to a pod in a cluster
    • All guides
      • Injecting secrets into environment variables
      • Injecting secrets via ConfigMap
      • Secrets Store diagnostics
    • Projects
    • Resource model
  • Access management
  • Pricing policy
  • Diagnostics and troubleshooting

In this article:

  • Getting started
  • Create a namespace and ServiceAccount
  • Configure a role in Secrets Store
  • Create a ConfigMap with secret references
  • Prepare the deployment
  • Apply the manifests
  • Check the result
  • Multiple ConfigMap directories
  • Diagnostics
  1. Step-by-step guides
  2. Secrets Store
  3. Injecting secrets via ConfigMap

Secret injection via ConfigMap (ConfigMap mode)

Written by
Yandex Cloud
Updated at June 24, 2026
View in Markdown
  • Getting started
  • Create a namespace and ServiceAccount
  • Configure a role in Secrets Store
  • Create a ConfigMap with secret references
  • Prepare the deployment
  • Apply the manifests
  • Check the result
  • Multiple ConfigMap directories
  • Diagnostics

This guide explains how to configure secret injection from Secrets Store into configuration files using ConfigMap mode in Secrets Injector.

In ConfigMap mode, the injector runs as an init container. It processes the pod's ConfigMap, replaces secret references with actual values, and writes the resulting files to the /secrets directory. The main container then reads the fully populated configuration files from this location.

Getting startedGetting started

  1. Make sure the Secrets Store component is installed and active in the cluster.
  2. In Secrets Store, secrets required by your application are already created.

Create a namespace and ServiceAccountCreate a namespace and ServiceAccount

Create a namespace for your application (if not already created):

kubectl create namespace myapp-namespace

Create a ServiceAccount:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: myapp-sa
  namespace: myapp-namespace
kubectl apply -f serviceaccount.yaml

Configure a role in Secrets StoreConfigure a role in Secrets Store

Configure a Secrets Store role with access to the required paths and bind it to the created ServiceAccount.

Create a ConfigMap with secret referencesCreate a ConfigMap with secret references

In the ConfigMap key values, specify secret references in secrets:<path>#<key> format.

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
  namespace: myapp-namespace
data:
  database.yaml: |
    host: postgres.example.com
    port: 5432
    username: myapp
    password: secrets:secret/data/myapp/database#password
  app.yaml: |
    log_level: info
    api_token: secrets:secret/data/myapp/api#token
kubectl apply -f configmap.yaml

Prepare the deploymentPrepare the deployment

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
  namespace: myapp-namespace
data:
  database.yaml: |
    host: postgres.example.com
    port: 5432
    username: myapp
    password: secrets:secret/data/myapp/database#password
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp
  namespace: myapp-namespace
spec:
  replicas: 1
  selector:
    matchLabels:
      app: myapp
  template:
    metadata:
      labels:
        app: myapp
      annotations:
        secrets.stackland.yandex.cloud/render-configmap: "true"
        secrets.stackland.yandex.cloud/role: "myapp"
    spec:
      serviceAccountName: myapp-sa
      containers:
        - name: app
          image: myapp:latest
          resources:
            requests:
              cpu: "100m"
              memory: "128Mi"
            limits:
              cpu: "500m"
              memory: "256Mi"
          volumeMounts:
            - name: app-config
              mountPath: /config
      volumes:
        - name: app-config
          configMap:
            name: app-config

Key requirements:

  • The secrets.stackland.yandex.cloud/render-configmap: "true" annotation enables ConfigMap mode.
  • The secrets.stackland.yandex.cloud/role annotation specifies the Secrets Store role.
  • The annotations must be placed under spec.template.metadata.annotations (in the pod template).
  • The ConfigMap is mounted to the directory specified in configmap-mounts (which is /config by default).
  • The volume for final secret-populated files is automatically added by the webhook and mounted to /secrets.

Apply the manifestsApply the manifests

kubectl apply -f deployment.yaml

Check the resultCheck the result

# Check the pod status
kubectl get pods -n myapp-namespace

# Check the injector's init container logs
kubectl logs <pod_name> -n myapp-namespace -c stackland-secrets-injector

# Inspect the contents of `/secrets` inside the pod
kubectl exec -n myapp-namespace <pod_name> -- ls /secrets
kubectl exec -n myapp-namespace <pod_name> -- cat /secrets/database.yaml

The /secrets directory will contain files named after the ConfigMap keys, with the secrets' values fetched. File access permissions are set to 0600.

Multiple ConfigMap directoriesMultiple ConfigMap directories

If multiple ConfigMap volumes are mounted across a number of directories, provide a comma-separated list of their mount paths:

annotations:
  secrets.stackland.yandex.cloud/configmap-mounts: "/config/app,/config/db,/etc/config"

Warning

The name:/path format is not supported; specify only directory paths.

DiagnosticsDiagnostics

If secrets are not injected, see Secrets Store diagnostics.

Was the article helpful?

Previous
Injecting secrets into environment variables
Next
Secrets Store diagnostics
© 2026 Direct Cursus Technology L.L.C.