Using kubernetes secrets in a configmap

8/29/2019

I'm using Helm on a Kubernetes cluster and have installed the stable rabbitmq-ha chart. I would like to push data to an exchange in rabbitmq from Logstash. I am trying to use the logstash stable chart.

The rabbitmq-ha chart has created a secret that contains the password to connect to it. I'd like to be able to get that password and include it in the logstash configuration so that logstash can connect to it.

The ConfigMap for logstash is templated using items from the values file.

  outputs:
    main: |-
      output {
        rabbitmq {
          exchange => "exchange_name"
          exchange_type => "fanout"
          host => "rabbitmq-ha.default.svc.cluster.local"
          password => "????"
        }
      }

I don't want to hard-code the password in the values file because that's not great for security and it would mean duplicating the configuration for each environment. I can't see a way to get logstash to read the password from an environment variable.

How do people normally do this?

I could use helm secrets to store the whole outputs configuration and include hard-coded passwords. That would avoid having plain-text passwords in my repository but still doesn't feel like the best way.

-- Stephen Paulger
kubernetes
kubernetes-helm

1 Answer

8/29/2019

Turns out that it is possible to get logstash to read values from the environment variables since at least version 5.0 of logstash. https://www.elastic.co/guide/en/logstash/current/environment-variables.html

So my values file can look like

  outputs:
    main: |-
      output {
        rabbitmq {
          exchange => "exchange_name"
          exchange_type => "fanout"
          host => "rabbitmq-ha.default.svc.cluster.local"
          password => "${RMQ_PASSWORD}"
        }
      }

The logstash chart allows environment variables to be added to the statefulset using an extraEnv value. The extraEnv allows values to come from secrets.

  extraEnv:
    - name: RMQ_PASSWORD
      valueFrom:
        secretKeyRef:
          name: rabbitmq-ha
          key: rabbitmq-password
-- Stephen Paulger
Source: StackOverflow