Is there a way to populate the serviceaccount secrets content to an environment variable?
Example: when a pod is started, it contains a /var/run/secrets/kubernetes.io/secrets/serviceaccount/
folder that contains token
, ca.crt
... and other that is the result to map the serviceaccount
sercret to a folder.
Is there anyway to map serviceaccountsecret.token
to an environment variable?
EDIT
I'm deploying kubernetes/openshift objects using fabric8 maven plugin. Nevertheless, I was looking for a way of setting this information up on PodSpec.
So, currently openshift/kubernetes is mapping service account information located into secrets and then it's automatically mapped to filesystem (`/var/run...).
I'm looking for a way to map this "unknown" service account secret to environment variable (I mean, I don't know which is the name of this secret, when I'm creating PodSpec).
$ oc get secrets
NAME TYPE DATA AGE
builder-dockercfg-hplx4 kubernetes.io/dockercfg 1 43m
builder-token-bkd8h kubernetes.io/service-account-token 4 43m
builder-token-gpckp kubernetes.io/service-account-token 4 43m
default-dockercfg-q2vpx kubernetes.io/dockercfg 1 43m
default-token-hpr7l kubernetes.io/service-account-token 4 43m
default-token-r5225 kubernetes.io/service-account-token 4 43m
deployer-dockercfg-6h7nw kubernetes.io/dockercfg 1 43m
deployer-token-svmvf kubernetes.io/service-account-token 4 43m
deployer-token-tmg9x kubernetes.io/service-account-token 4 43m
vault-cert kubernetes.io/tls 2 42m
As you can see, openshiftshift/kubernetes creates secrets regarding with each service account:
$ oc get sa
NAME SECRETS AGE
builder 2 44m
default 2 44m
deployer 2 44m
Each secret has a form like:
$ oc describe secret default-token-hpr7l
Name: default-token-hpr7l
Namespace: ra-sec
Labels: <none>
Annotations: kubernetes.io/created-by=openshift.io/create-dockercfg-secrets
kubernetes.io/service-account.name=default
kubernetes.io/service-account.uid=82ae89d7-898a-11e8-8d35-f28ae3e0478e
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1070 bytes
namespace: 6 bytes
service-ca.crt: 2186 bytes
token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJyYS1zZWMiLCJrdWJlcm5ldGVzLmlvL3Nl...
Each secret is mapped to filesystem automatically. Nevertheless, I'd like to write into PodSpec:
env:
- name: KUBERNETES_TOKEN
valueFrom:
secretKeyRef:
name: <unknown service account secret name>
key: token
I hope I've explianed a bit better.
How are you deploying your application, S2I?
If yes, you can use a custom .s2i/bin/run
script to set it yourself from the contents of the file and then run the original S2I run
script.
See the chapter 'Customizing Source-to-Image Builds' in the free eBook:
for more details.
You can create a secret annotated with kubernetes.io/service-account.name
annotation.
This annotation provides related service account information to current secret.
apiVersion: v1
kind: Secret
metadata:
name: vault-auth-secret
annotations:
kubernetes.io/service-account.name: vault-auth
type: kubernetes.io/service-account-token
By this way, you are able to create a named secret with desired data.
- name: KUBERNETES_TOKEN
valueFrom:
secretKeyRef:
name: vault-auth-secret
key: token