1

The documentation is a bit confusing there are two sets:

At any rate, I'm able to do the following to see that secrets are in the Pod:

kubectl exec -it nginx-secrets-store-inline -- ls /mnt/secrets-store/
kubectl exec -it nginx-secrets-store-inline -- cat /mnt/secrets-store/secret1

This is basically where the documentation and tutorials I've seen end.

Cool... but what needs to be done to get them into the environmental variables in the application running in the Pod?

For example, this is how my API deployment is setup from when I was doing kubectl create secret generic app-secrets --from-literal=PGUSER=$pguser...:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: api-deployment-dev
  namespace: production
spec:
  replicas: 3
  revisionHistoryLimit: 5
  selector:
    matchLabels:
      component: api
  template:
    metadata:
      labels:
        component: api
    spec:
      containers:
        - name: api
          image: api
          ports:
            - containerPort: 5000
          env:
            - name: PGDATABASE
              valueFrom:
                secretKeyRef:
                  name: k8stut-dev-secrets
                  key: PGDATABASE
            - name: PGHOST
              value: postgres-cluster-ip-service-dev
            - name: PGPORT
              valueFrom:
                secretKeyRef:
                  name: k8stut-dev-secrets
                  key: PGPORT
            - name: PGUSER
              valueFrom:
                secretKeyRef:
                  name: k8stut-dev-secrets
                  key: PGUSER
            - name: PGPASSWORD
              valueFrom:
                secretKeyRef:
                  name: k8stut-dev-secrets
                  key: PGPASSWORD
          volumeMounts:
            - mountPath: /mnt/file-storage
              name: file-storage-dev
              subPath: file-storage
      volumes:
        - name: file-storage-dev
          persistentVolumeClaim:
            claimName: file-storage-dev
---
apiVersion: v1
kind: Service
metadata:
  name: api-cluster-ip-service-dev
  namespace: development
spec:
  type: ClusterIP
  selector:
    component: api
  ports:
    - port: 5000
      targetPort: 5000

What needs to be done now with all of these?

env:
  - name: PGDATABASE
    valueFrom:
      secretKeyRef:
        name: k8stut-dev-secrets
        key: PGDATABASE
cjones
  • 8,384
  • 17
  • 81
  • 175

2 Answers2

2

The CSI secret store driver is a container storage interface driver - it can only mount to files.

For postgres specifically, you can use docker secrets environment variables to point to the path you're mounting the secret in and it will read it from the file instead. This works via appending _FILE to the variable name.

Per that document: Currently, this is only supported for POSTGRES_INITDB_ARGS, POSTGRES_PASSWORD, POSTGRES_USER, and POSTGRES_DB.

- name: POSTGRES_DB_FILE
  value: /mnt/secrets-store/db-secret

In the general case, if you need the secrets in environment variables, I would typically use a startup script in the container to read the CSI mounted secrets and export them. If it's a custom container this is usually easy enough to add; if it's a standard container you may be able to override the command with a small set of shell commands that can export the appropriate variables by reading the files before calling whatever the normal ENTRYPOINT of the container would have been.

Patrick Healy
  • 166
  • 5
  • 1
    Thanks, that did the trick. For reference, here is what my complete `.yaml` looks like if it is helpful to anyone: https://stackoverflow.com/a/66341260/3123109 – cjones Feb 23 '21 at 23:05
1

The answer above by Patrick helped, but is not fully correct. AKS provides support as well to "sync" Key Vault Secrets into Kubernetes Secrets which can be used as ENV variables.

See the microsoft docs on how to setup sync of a secret into kubernetes: https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver#sync-mounted-content-with-a-kubernetes-secret

And this article shows how you can reference the secret into an environment variable: https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver#set-an-environment-variable-to-reference-kubernetes-secrets

pastrami01
  • 341
  • 4
  • 9