feat: Add Kubernetes ConfigMap and Secret backend support #334
Description
Summary
Add native Kubernetes ConfigMap and Secret support as a configuration backend.
Motivation
Currently using confd in Kubernetes requires:
- Mounting ConfigMaps/Secrets as volumes
- Using the file backend to watch mounted paths
- Or running a separate service to sync to etcd/Consul
Native Kubernetes support would:
- Simplify Kubernetes deployments
- Enable watching ConfigMaps/Secrets directly via Kubernetes API
- Remove the need for intermediate storage backends
- Support multi-namespace configurations
Proposed Implementation
Backend Configuration
[kubernetes]
# Optional: defaults to in-cluster config
kubeconfig = "/path/to/kubeconfig"
namespace = "default"
# Optional: for multi-namespace support
namespaces = ["default", "production"]Flags:
--kubernetes(enable backend)--kubernetes-kubeconfig--kubernetes-namespace
Key Format
# ConfigMaps
/configmaps/{namespace}/{name}/{key}
# Secrets (base64 decoded automatically)
/secrets/{namespace}/{name}/{key}
Example template:
{{ getv "/configmaps/default/myapp-config/database_url" }}
{{ getv "/secrets/default/myapp-secrets/api_key" }}
Watch Mode
Use Kubernetes Watch API for real-time updates:
- Watch ConfigMap changes
- Watch Secret changes
- Efficient long-polling with resourceVersion
Authentication
Support multiple authentication methods:
- In-cluster ServiceAccount (default)
- Kubeconfig file
- Token-based authentication
Considerations
- RBAC permissions required for ConfigMap/Secret read access
- Binary secret data handling
- Large ConfigMap support (1MB limit)
- Connection handling for long-running watches