How to put k8 secret in docker cmd argument?

5/24/2019

I'm trying to setup the Azure Face recognition container, but wondering how to use a k8 secret as a Docker command "argument."

This works, but I need to replace the ApiKey with my k8 secret.

{
  "kind": "Deployment",
  "spec": {
    "template": {
      "spec": {
        "containers": [
          {
            "name": "azure-face",
            "args": [
              "Eula=accept",
              "Billing=https://microsoft.com",
              "ApiKey=123"
            ]
          }
        ]
      }
    }
  }
}

Create secret like this:

kubectl create secret generic azure-api-key --from-literal=azure-api-key="123"

Tried changing the container args like this but it doesn't work - arugment is not passed as expected: (also tried other variations like ApiKey=${AZURE_API_KEY})

    "containers": [
      {
        "args": [
          "Eula=accept",
          "Billing=https://microsoft.com",
          "ApiKey=$AZURE_API_KEY"
        ],
        "env": [
          {
            "name": "AZURE_API_KEY",
            "valueFrom": {
              "secretKeyRef": {
                "name": "azure-api-key",
                "key": "azure-api-key"
              }
            }
          }
        ]
      }
    ]

Also did docker exec and from inside container verified that:

$ echo $AZURE_API_KEY
$ 123
-- Charlie
azure-cognitive-services
kubernetes
kubernetes-secrets

2 Answers

5/26/2019

Using an environment variable for sensitive information like an API key is not necessarily the best practice. It's an open argue what is better, but I personally believe using files is better mainly because it's common to collect env vars for logging purposes etc.

So instead, I would mount the secret as file and read it in the command line, something like API_KEY=$(cat api_key.txt). I think this should work but need verification. Usually, there is support for configuration files in most images provided those days - so I would first look into this, e.g. if Azure Face recognition supports a configuration file.

Final note, if you're looking to read more about Kubernetes secrets and how to manage them on Git, check out this blog post (full disclosure: I'm the author) which covers all the different options to manage Kubernetes secrets securely.

-- Omer Levi Hevroni
Source: StackOverflow

5/24/2019

Looks like this was the issue thanks to @Blokje5:

Note: The environment variable appears in parentheses, "$(VAR)". This is required for the variable to be expanded in the command or args field.

I had tried ${VAR} not $(VAR).

-- Charlie
Source: StackOverflow