Accessing Kubernetes "secret" environment variables from a node.js app

Question

I have a node.js application which is accessing environment variables like so:

const pool = mysql.createPool({
  host: process.env.MYSQL_HOST,
  user: process.env.MYSQL_USER,
  port: process.env.MYSQL_PORT,
  password: process.env.MYSQL_PASSWORD,
  database: process.env.MYSQL_DB
});

The deployment is done via Kubernetes. Some of the environment variables, such as MYSQL_HOST, MYSQL_DB are set in plain form, the MYSQL_PASSWORD, however, is set via a secret. And the problem is that the regular environment variables are read by my node.js application just fine while the MYSQL_PASSWORD is not. But the problem is that when I try to see the value of MYSQL_PASSWORD in the list of the environment variables in the container - it shows the correct value.

Here's how the environment variable in question is set in the deployment yaml:

- name: MYSQL_PASSWORD
  valueFrom:
      secretKeyRef:
         key: MYSQL_PASSWORD
         name: config-secret

And again - the value is visible when I run the env command in the container, but for some reason the node.js application doesn't pick it up.

Does anybody have any clue why my app would read the regular environment variables without issues but fails to read the ones set as secrets?

Thanks.

Can you share how you have created the secret and referred it in the deployment? — lkamal, Oct 26 '20 at 11:43
How did you add the other env variables? Is it using ConfigMaps or some other mechanism? — lkamal, Oct 26 '20 at 14:04

score 2 · Answer 1 · answered Oct 26 '20 at 11:51

2

The key should be the once you used in your secret. For example, if you have:

kubectl create secret generic config-secret --from-literal=username=user --from-literal=password=pw

You should use it as follows:

- name: MYSQL_PASSWORD
  valueFrom:
    secretKeyRef:
      name: config-secret
      key: password

Note that the key is not the same as the env variable name. It should be the one used to set the secret's key.

answered Oct 26 '20 at 11:51

Maroun

94,125
30
188
241

Thanks, @Maroun, but that's exactly how it's currently set. The key in the secret is also MYSQL_PASSWORD. And when I do `echo $MYSQL_PASSWORD` in the container - it shows the correct value. But for some reason the node.js app doesn't pick it up. – cycero Oct 26 '20 at 11:55

score 0 · Answer 2 · answered Oct 27 '20 at 12:24

0

Check if you have encoded the password value correctly. Sometimes, you encode "space" or "newline" character with the password as well and you end up having the wrong password.

Use btoa() and atob() functions to encrypt and decrypt the password.

answered Oct 27 '20 at 12:24

avadhut007

332
3
16

score 0 · Answer 3 · answered Oct 22 '21 at 07:58

Probably there is some problem in your base 64 encoding, expecially in padding characters "=", see this Why does a base64 encoded string have an = sign at the end As an example both the strings "QUJDREVGRw==" and "QUJDREVGRw" are decoded in "ABCDEFG" but kubernetes is susceptible: the fisrt is correct, the latter will result in a error!

Accessing Kubernetes "secret" environment variables from a node.js app

3 Answers3