2

I know you can use ConfigMap properties as environment variables in the pod spec, but can you use environment variables declared in the pods spec inside the configmap?

For example:

I have a secret password which I wish to access in my configmap application.properties. The secret looks like so:

apiVersion: v1
data:
  pw: THV3OE9vcXVpYTll==
kind: Secret
metadata:
  name: foo
  namespace: foo-bar
type: Opaque

so inside the pod spec I reference the secret as an env var. The configMap will be mounted as a volume from within the spec:

    env:
      - name: PASSWORD
        valueFrom:
          secretKeyRef:
            name: foo
            key: pw
...

and inside my configMap I can then reference the secret value like so:

apiVersion: v1
kind: ConfigMap
metadata:
  name: application.properties
  namespace: foo-bar
data:
  application.properties: /
    secret.password=$(PASSWORD)

Anything I've found online is just about consuming configMap values as env vars and doesn't mention consuming env vars in configMap values.

grinferno
  • 524
  • 8
  • 23
  • Why do you want to copy value from your secret to configmap? You can also mount your secret into the pod directly. Can you elaborate your use case a bit? – Anmol Agrawal Feb 18 '20 at 13:04
  • @anmolagrawal I wish to pass in sensitive values into my configmap securely – grinferno Feb 18 '20 at 13:16
  • Keeping sensitive information in configmap is not a good practice. You always use secret for that. Sorry, but I still don't understand the use case. – Anmol Agrawal Feb 18 '20 at 13:17
  • @anmolagrawal ok, not sure how I can make it any clearer but thanks for your comment. – grinferno Feb 18 '20 at 14:52

1 Answers1

1

Currently it's not a Kubernetes Feature.

There is a closed issue requesting this feature and it's kind of controversial topic because the discussion is ongoing many months after being closed: Reference Secrets from ConfigMap #79224

Referencing the closing comment:

Best practice is to not use secret values in envvars, only as mounted files. if you want to keep all config values in a single object, you can place all the values in a secret object and reference them that way. Referencing secrets via configmaps is a non-goal... it confuses whether things mounting or injecting the config map are mounting confidential values.

I suggest you to read the entire thread to understand his reasons and maybe find another approach for your environment to get this variables.

"OK, but this is Real Life, I need to make this work"

Then I recommend you this workaround:

Import Data to Config Map from Kubernetes Secret

It makes the substitution with a shell in the entrypoint of the container.

Will R.O.F.
  • 3,814
  • 1
  • 9
  • 19
  • 1
    Thanks for this, and for the "Real Life" subsection. Unfortunately the code we're working with is hardcoded to look for secret values from within the app.properties files, so unfortunately we need this workaround. – grinferno Feb 18 '20 at 17:04