-1

i have simple logstash deployment and I like to store the sensitive passwords in secret in Kubernetes i will use secrets and i want to pull it from env vars into the logstash config. the problem is that i need to get the variables in ConfigMap

apiVersion: v1
kind: ConfigMap
metadata:
  name: logstash-config
  namespace: elastic-foo
data:
  logstash.yml: |
    http.host: "0.0.0.0"
    path.config: /usr/share/logstash/pipeline
  logstash.conf: |
    # all input will come from filebeat, no local logs
    input {
      s3 {
        "access_key_id" => ${access_key_id_pass}
        "secret_access_key" => ${secret_access_key_pass}
      }
    }
    filter {
    }
    output {
      stdout { codec => rubydebug }
      elasticsearch {
        index => "logstash-%{[@metadata]}"
        hosts => [ "http://xxxxxxxxx.svc:9200" ]
        user => ${user_name}
        password => ${password_pass}
      }
    }

This is the secrets yml:

apiVersion: v1
kind: Secret
metadata:
  name: elastic-secret
  namespace: elasticxxxx
stringData:
  elasticsearch-password: xxxxx
  elasticsearch-user: xxxx
  access-key-id: xxxx
  secret-access-key: xxxxx

This example doesn't work, i have the passwords in kube scerts and the environment variables are there in the container.

user63898
  • 29,839
  • 85
  • 272
  • 514
  • 1
    Just to clarify, you have kubernetes secrets with aws access keys and now you are trying to refer this secrets as an env var inside configmap. Correct? – mchawre Jan 17 '21 at 12:10
  • yes this is what i need i updated the question – user63898 Jan 17 '21 at 12:26

1 Answers1

3

It is possible to reference one environment variable in another provided that the one which is referenced is declared before the one which references it. Kubernetes has nothing to do with the resolution. The resolution takes place in the container (see here).

AFAIK it currently is not possible to reference a Secret from a ConfigMap. What you could try to do is either reference one after another in your Deployment with envFrom.

kind: Deployment
spec:
  spec:
    containers:
    - name: container-name
      # [...]
      envFrom:
      - secretRef:
          name: elastic-secret
      - configMapRef:
          name: logstash-config

or specify environment variables one-by-one to be sure they are loaded in the right sequence.

kind: Deployment
spec:
  spec:
    containers:
    - name: container-name
      env:
        - name: access_key_id_pass
          valueFrom:
            secretKeyRef:
              name: elastic-secret
              key: access-key-id
        # followed by the other secrets, then the configMapRefs...

This way you'd also be able to name the environment variables according to the requirements of your logstash-config.

boris
  • 457
  • 2
  • 7
  • this doesn't work, so i guess i should follow the standard and if configMap doesn't support variables it doesn't support them and that's it – user63898 Jan 18 '21 at 06:26
  • 1
    Sorry, I could have sworn it's possible. Check [this SO article](https://stackoverflow.com/questions/49582349/kubernetes-how-to-refer-to-one-environment-variable-from-another). I used exactly this pattern to [reference a pod ip](https://kubernetes.io/docs/tasks/inject-data-application/environment-variable-expose-pod-information/#use-pod-fields-as-values-for-environment-variables) in another env var. – boris Jan 18 '21 at 10:32