2

My goal is to create an environment variable for the pod out of a mounted secret volume. I want to skip the intermediate step with creating Kubernetes secret (and refer the k8s secret for the env) so nothing is stored on the etcd storage.

I am using the CSI Driver to mount the secrets of my Azure Key Vault. The volume is working correctly.

Deployment.yaml:

...
spec:
  volumes:
    - name: keyvault-secrets
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: kevault-secrets
  containers:
    - name: busybox
      image: k8s.gcr.io/e2e-test-images/busybox:1.29
      command:
        - /bin/sh
      args:
        - '-c'
        - >-
          SECRET1=$(cat /mnt/keyvault-secrets/secret1); export SECRET1;echo
          $SECRET1; sleep 1d;
      volumeMounts:
        - name: keyvault-secrets
          readOnly: true
          mountPath: /mnt/keyvault-secrets

On startup the Pod is able to populate the environment variable and even prints its value correctly on the console. If I log into the Pod the environment variable is gone.

Any ideas why the environment variable vanishes?

Michael Kemmerzell
  • 4,802
  • 4
  • 27
  • 43
  • 1
    Why not to get env_vars directly from secret from key vault? Like [in azure documentation](https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver#set-an-environment-variable-to-reference-kubernetes-secrets) – moonkotte Jan 18 '22 at 13:43
  • Thanks for the hint but this is not what we want. It references the k8s secrets which are created but we want to achieve this without the k8s secrets – Michael Kemmerzell Jan 18 '22 at 14:14
  • Yeah, this is some kind of replication feature. May I please ask why you don't want to use `secrets`? Is it some sort of security aspects? `Etcd` should be encrypted in Azure AKS. – moonkotte Jan 18 '22 at 14:47
  • 1
    Yes, because of security aspects of the company. We will probably wait for the KMS provider support for AKS: https://github.com/Azure/AKS/issues/845 which encrypts the secrets in addition to the etcd encryption. – Michael Kemmerzell Jan 18 '22 at 14:53
  • Have you found a solution, @MichaelKemmerzell ? – hey Aug 31 '22 at 20:53
  • Unfortunately no @hey. I had to go the usual way. – Michael Kemmerzell Sep 01 '22 at 05:27

1 Answers1

2

Environment set in a shell session (like the one in your command) is local to that session only.

gohm'c
  • 13,492
  • 1
  • 9
  • 16
  • 2
    For better explanation see https://unix.stackexchange.com/questions/8342/export-an-env-variable-to-be-available-at-all-sub-shells-and-possible-to-be-mod – bodo Jan 17 '22 at 15:58