2 min read | by Jordi Prats
Although it's not a best practice to feed secrets into environment variables it's still something that it is possible to do. Let's take a glance on how to do it
We are going to use the same secret we uses for accessing secrets through a volumes:
$ kubectl create secret generic democredentials \
--from-literal=username=jordi.prats \
--from-literal=password='not_so_secret'
To be able to feed the secret into the environment variable we will have to use secretKeyRef setting the name of the secret as name and the key on that secret that we would like to use. For example, for the example secret we can create two environment variables with both keys as follows:
apiVersion: v1
kind: Pod
metadata:
name: secret2env
spec:
containers:
- name: demo
image: busybox
command: ["sleep"]
args: ["1h"]
# mount volume at a given path; secret to volume declared below:
env:
- name: USERNAME
valueFrom:
secretKeyRef:
name: democredentials
key: username
- name: PASSWORD
valueFrom:
secretKeyRef:
name: democredentials
key: password
Once we deploy the pod it will keep running for an hour:
$ kubectl apply -f ~/pod.yaml
pod/secret2env created
$ kubectl get pod
NAME READY STATUS RESTARTS AGE
secret2env 1/1 Running 0 6s
So we can use either create an interactive shell on the pod or just run the commands using kubectl exec:
$ kubectl exec secret2env -- sh -c 'echo $USERNAME'
jordi.prats
$ kubectl exec secret2env -- sh -c 'echo $PASSWORD'
not_so_secret
Posted on 05/03/2021