K8s secret composition

11/13/2018

I am using helm/k8s to deploy a third party (prisma) container. The container expects a environment variable in the shape of yaml similar to

port: 4466                           
managementApiSecret: $PRISMA_SECRET
databases:                           
  default:                           
    connector: postgres              
    host: postgresql                 
    port: 5432                       
    user: postgres                   
    password: $PG_SECRET             
    migrations: true                 

I have access to the postgres password and managementApiSecret as values in a separate secret. I am trying to create pod that fetches the two secrets and uses them to create a environment variable. My currently attempt at a solution looks like this.

containers:                                    
  - name: prisma                               
    image: 'prismagraphql/prisma:1.14'         
    ports:                                     
      - name: prisma-4466                      
        containerPort: 4466                    
    env:                                       
      - name: PG_SECRET                        
        valueFrom:                             
          secretKeyRef:                        
            name: postgresql                   
            key: postgres-password             
      - name: PRISMA_CONFIG                    
        value: |                               
          port: 4466                           
          managementApiSecret: $PRISMA_SECRET
          databases:                           
            default:                           
              connector: postgres              
              host: postgresql                 
              port: 5432                       
              user: postgres                   
              password: $PG_SECRET             
              migrations: true    

This does not seem to work (because the secret is evaluated at kubectl apply time?). Is there an alternative way of creating env variables with secret information?

-- BBS
kubernetes
kubernetes-helm
prisma

1 Answer

11/13/2018

From the envvar doc: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.12/#envvar-v1-core

Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables.

Your second envvar can use the value of the earlier envvar as $(PG_SECRET)

-- Jordan Liggitt
Source: StackOverflow