Make nginx configurable with kubernetes secret?

Question

I have a working openresty with lua-resty-openidc as ingress controller. Now, the nginx.conf is hardcoded in my image, with something like this :

    server {
        server_name  _;
        listen       80;

        location /OAuth2Client {
            access_by_lua_block {
                local opts = {
                    discovery = "/.well-known/openid-configuration",
                    redirect_uri = "/authorization-code/callback",
                    client_id = "clientID",
                    client_secret = "clientSecret",
                    scope = "openid profile somethingElse",
                }
    ...
            }
            proxy_pass http://clusterIp/OAuth2Client;
        }
    }

As Nginx doesn't accept environment variables, is there a simple way to make my nginx.conf configurable, for ex

    server {
        server_name  ${myServerName};
        listen       ${myServerPort};

        location /${specificProjectRoot} {
            access_by_lua_block {
                local opts = {
                    discovery = "${oidc-provider-dev-url}/.well-known/openid-configuration",
                    redirect_uri = "${specificProjectRoot}/authorization-code/callback",
                    client_id = "${myClientId}",
                    client_secret = "${myClientSecret}",
                    scope = "${myScopes}",
                }
    ...
            }
            proxy_pass http://${myClusterIP}/${specificProjectRoot};
        }
    }

so that whatever team in whatever namespace could reuse my image and just provide a kubernetes secret containing their specific config for their project ?

What if you create a "start_script.sh" to run whenever your nginx is started? In the script you can use the environment variables and using `sed` you can replace the values in your nginx.conf. something like that: `sed -i -e "s,\${myServerName},$SERVER_NAME," /etc/nginx/nginx.conf` — Juliano Costa, Apr 09 '20 at 08:58

score 2 · Accepted Answer · answered Apr 09 '20 at 12:11

You would need to render the nginx.conf from a templated version at runtime (as Juliano's comment mentions). To do this, your Dockerfile could look something like this:

FROM nginx
COPY nginx.conf.template /etc/nginx/
CMD ["/bin/bash", "-c", "envsubst < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf && exec nginx -g 'daemon off;'"]

Notice that it copies nginx.conf.template into your image, this would be your templated config with variables in the form ${MY_SERVER_NAME} where MY_SERVER_NAME is injected into your pod as an environment variable via your Kubernetes manifest, from your configmap or secret or however you prefer.

score 0 · Answer 2 · answered Jun 20 '22 at 07:11

While envsubst is a good workaround to connect Kubernetes objects with container files, Kubernetes native ConfigMaps are designed precisely for this purpose: passing non-sensitive key-value data to the container, including entire files like your nginx.conf.

Here's a working example (in the question AND answer) of a ConfigMap and Deployment pair specifically for NGINX:

Custom nginx.conf from ConfigMap in Kubernetes

Make nginx configurable with kubernetes secret?

2 Answers2