0

I have worked on grabbing Kubernetes secrets with a .yml file for weeks, but to no avail. My script is currently triggered by a KafkaTrigger, which cannot pull in secrets from Kubernetes. Grabbing the secrets, we are left with two possibilities: 1) pull in secrets from python or 2) create a second .yml file. Option 1) is not possible, since I would still need an .ssh key in my requirements.txt file, exposing an internal code base. Ideally, the .yml could pull in the .ssh key. My question is: how could you create a .yml file with two scripts running, a) the KafkaTrigger, and b) the code which pulls in secrets? The KafkaTrigger should not change, so what changes can I make to get the .yml logic to work? In particular, are the apiVersions and kind correct? Do I need an image for this code to work?

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-bot-grab-secrets
  namespace: name
spec:
  template:
    spec:
      containers:
      - name: test-bot-grab-secrets
        image: img
        env:
          - name: SQL_URI
            valueFrom:
              secretKeyRef:
                name: SECRET_NAME
                key: SQLALCHEMY_URI

Please tell me if these questions are not clear! Thanks!

David Maze
  • 130,717
  • 29
  • 175
  • 215
jeisenman19
  • 45
  • 1
  • 8
  • What is a `KafkaTrigger`? Where does this credential need to wind up in the end? Can you inject a Secret value into it as an environment variable like you've done in the example? (A separate Deployment almost certainly cannot do this.) – David Maze Feb 22 '23 at 17:19
  • A KafkaTrigger is the namespace for a Kafka event listener. I.E., it will wait for a process to happen and then trigger a script when a condition is met. I would like to pull in the environmental variable into the pod so it can be used by my python script. In sum, here is the logic: process happens, .yml file triggers script and pulls secrets, script runs (using the secrets) within Kubernetes pod/ – jeisenman19 Feb 22 '23 at 17:22
  • The problem is that you cannot pull a secret using ```apiVersion: kubeless.io/v1beta1```. Using a dev.env file would be too static and it would not change as the secrets change within the key vault. How could you get around these problems? – jeisenman19 Feb 22 '23 at 17:24

0 Answers0