kelseyhightower/konfig — explained in plain English
Analysis updated 2026-07-17 · repo last pushed 2024-02-29
Centralize secrets and config in a Kubernetes cluster and reference them from Cloud Run or Cloud Functions services.
Share the same database password between a GKE-hosted service and a serverless function without copying it around.
Store a JSON credentials file as a Kubernetes secret and have konfig write it to a temp file your app can read.
| kelseyhightower/konfig | adguardteam/urlfilter | kelseyhightower/kargo | |
|---|---|---|---|
| Stars | 116 | 113 | 123 |
| Language | Go | Go | Go |
| Last pushed | 2024-02-29 | 2026-06-25 | 2017-07-13 |
| Maintenance | Dormant | Active | Dormant |
| Setup difficulty | hard | hard | — |
| Complexity | 4/5 | 3/5 | — |
| Audience | ops devops | developer | general |
Figures from each repo's GitHub metadata at analysis time.
Requires a running Kubernetes (GKE) cluster reachable from Cloud Run/Functions.
Konfig lets applications running on Google Cloud's serverless platforms, Cloud Run and Cloud Functions, pull configuration values and secrets from a Kubernetes cluster at runtime. Instead of duplicating config files or API keys across multiple services, you store them once in a Kubernetes cluster and reference them from your serverless workloads, which then automatically receive the actual values when they start up. The way it works is straightforward. You add a single import line to your application code, and behind the scenes the library intercepts the environment variables that were set when your service was deployed. When it sees a special reference string pointing to a Kubernetes configmap or secret, it reaches out to the cluster, fetches the actual value, and swaps it in. For file-based configs like a JSON database connection file, it can even write the contents to a temporary file and give your app the file path instead of the raw content. This is useful for teams already using Google Kubernetes Engine (GKE) who want a central place to manage secrets and configuration across both containerized and serverless workloads. For example, if you have a database password stored as a Kubernetes secret, both a traditional service running in GKE and a Cloud Run function can reference the same source of truth without you having to manage separate secret stores or copy values around. One notable design choice is that konfig reads environment variable definitions from the Cloud Run or Cloud Functions API rather than scanning the runtime environment directly. This avoids a common pitfall where other libraries might set or modify environment variables before konfig runs, which could cause confusion. It also means the GKE cluster is used purely as a storage layer, the tutorial even shows you can delete the cluster's compute nodes after setup, since only the Kubernetes API server is needed to serve config and secret lookups.
Konfig lets serverless apps on Google Cloud Run and Cloud Functions pull config values and secrets from a Kubernetes cluster at runtime, so teams store them once and reuse them everywhere.
Mainly Go. The stack also includes Go, Kubernetes, Cloud Run.
Dormant — no commits in 2+ years (last push 2024-02-29).
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.