I'm trying to setup the Azure Face recognition container, but wondering how to use a k8 secret as a Docker command "argument."
This works, but I need to replace the ApiKey with my k8 secret.
{
"kind": "Deployment",
"spec": {
"template": {
"spec": {
"containers": [
{
"name": "azure-face",
"args": [
"Eula=accept",
"Billing=https://microsoft.com",
"ApiKey=123"
]
}
]
}
}
}
}
Create secret like this:
kubectl create secret generic azure-api-key --from-literal=azure-api-key="123"
Tried changing the container args like this but it doesn't work - arugment is not passed as expected: (also tried other variations like ApiKey=${AZURE_API_KEY})
"containers": [
{
"args": [
"Eula=accept",
"Billing=https://microsoft.com",
"ApiKey=$AZURE_API_KEY"
],
"env": [
{
"name": "AZURE_API_KEY",
"valueFrom": {
"secretKeyRef": {
"name": "azure-api-key",
"key": "azure-api-key"
}
}
}
]
}
]
Also did docker exec and from inside container verified that:
$ echo $AZURE_API_KEY
$ 123
Using an environment variable for sensitive information like an API key is not necessarily the best practice. It's an open argue what is better, but I personally believe using files is better mainly because it's common to collect env vars for logging purposes etc.
So instead, I would mount the secret as file and read it in the command line, something like API_KEY=$(cat api_key.txt)
. I think this should work but need verification. Usually, there is support for configuration files in most images provided those days - so I would first look into this, e.g. if Azure Face recognition supports a configuration file.
Final note, if you're looking to read more about Kubernetes secrets and how to manage them on Git, check out this blog post (full disclosure: I'm the author) which covers all the different options to manage Kubernetes secrets securely.
Looks like this was the issue thanks to @Blokje5:
Note: The environment variable appears in parentheses, "$(VAR)". This is required for the variable to be expanded in the command or args field.
I had tried ${VAR} not $(VAR).