Openshift/kubernetes: map serviceaccount secret to an environment variable

7/16/2018

Is there a way to populate the serviceaccount secrets content to an environment variable?

Example: when a pod is started, it contains a /var/run/secrets/kubernetes.io/secrets/serviceaccount/ folder that contains token, ca.crt... and other that is the result to map the serviceaccount sercret to a folder.

Is there anyway to map serviceaccountsecret.token to an environment variable?

EDIT

I'm deploying kubernetes/openshift objects using fabric8 maven plugin. Nevertheless, I was looking for a way of setting this information up on PodSpec.

So, currently openshift/kubernetes is mapping service account information located into secrets and then it's automatically mapped to filesystem (`/var/run...).

I'm looking for a way to map this "unknown" service account secret to environment variable (I mean, I don't know which is the name of this secret, when I'm creating PodSpec).

$ oc get secrets
NAME                       TYPE                                  DATA      AGE
builder-dockercfg-hplx4    kubernetes.io/dockercfg               1         43m
builder-token-bkd8h        kubernetes.io/service-account-token   4         43m
builder-token-gpckp        kubernetes.io/service-account-token   4         43m
default-dockercfg-q2vpx    kubernetes.io/dockercfg               1         43m
default-token-hpr7l        kubernetes.io/service-account-token   4         43m
default-token-r5225        kubernetes.io/service-account-token   4         43m
deployer-dockercfg-6h7nw   kubernetes.io/dockercfg               1         43m
deployer-token-svmvf       kubernetes.io/service-account-token   4         43m
deployer-token-tmg9x       kubernetes.io/service-account-token   4         43m
vault-cert                 kubernetes.io/tls                     2         42m 

As you can see, openshiftshift/kubernetes creates secrets regarding with each service account:

$ oc get sa
NAME       SECRETS   AGE
builder    2         44m
default    2         44m
deployer   2         44m

Each secret has a form like:

$ oc describe secret default-token-hpr7l
Name:         default-token-hpr7l
Namespace:    ra-sec
Labels:       <none>
Annotations:  kubernetes.io/created-by=openshift.io/create-dockercfg-secrets
              kubernetes.io/service-account.name=default
              kubernetes.io/service-account.uid=82ae89d7-898a-11e8-8d35-f28ae3e0478e

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:          1070 bytes
namespace:       6 bytes
service-ca.crt:  2186 bytes
token:           eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJyYS1zZWMiLCJrdWJlcm5ldGVzLmlvL3Nl...

Each secret is mapped to filesystem automatically. Nevertheless, I'd like to write into PodSpec:

env:
- name: KUBERNETES_TOKEN
  valueFrom:
    secretKeyRef:
      name: <unknown service account secret name>
      key: token

I hope I've explianed a bit better.

-- Jordi
kubernetes
openshift

2 Answers

7/16/2018

How are you deploying your application, S2I?

If yes, you can use a custom .s2i/bin/run script to set it yourself from the contents of the file and then run the original S2I run script.

See the chapter 'Customizing Source-to-Image Builds' in the free eBook:

for more details.

-- Graham Dumpleton
Source: StackOverflow

7/17/2018

You can create a secret annotated with kubernetes.io/service-account.name annotation.

This annotation provides related service account information to current secret.

apiVersion: v1
kind: Secret
metadata:
  name: vault-auth-secret
  annotations:
    kubernetes.io/service-account.name: vault-auth
type: kubernetes.io/service-account-token

By this way, you are able to create a named secret with desired data.

- name: KUBERNETES_TOKEN
  valueFrom:
    secretKeyRef:
      name: vault-auth-secret
      key: token
-- Jordi
Source: StackOverflow