Helm-charts: Share env var in sibling charts' deployment/configmaps

12/13/2019

Files structure (minimized)

There is a charts folder containing multiple charts.

charts/
  foo-chart/
    templates/
       deployment.yml
       secrets.yml
  bar-chart/
    templates/
      configmaps/
        script.yml

secrets.yml

Defines a token:

apiVersion: v1
kind: Secret
metadata:
  name: {{ .Release.Name }}-secret
  labels:
    app: {{ include "metrics.name" . }}
    chart: {{ include "metrics.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
type: Opaque
data:
  # NOTE: Service token has to fit the NIST requirement
  serviceToken: {{ randAscii 40 | b64enc }}

deployment.yml

Runs a command which uses an environmental variable which uses a secret:

containers:
  command:
  - fancy-binary
  - -token
  - $(AUTH_TOKEN)
  env:
  - name: AUTH_TOKEN
  valueFrom:
    secretKeyRef:
    name: {{ .Release.Name }}-secret
    key: serviceToken

script.yml

Is supposed to run bash command (Django admin-command) and use environmental variable as well:

# Create a Service Token
django-admin service_token_add $(AUTH_TOKEN)

Issues

  1. Is the AUTH_TOKEN going to be visible in script.yml?
  2. Does the env valueFrom auto-set the value of AUTH_TOKEN (is deployment going to work)?
-- 0leg
kubernetes
kubernetes-helm

2 Answers

12/13/2019

As long as whatever is using the script.yml configmap also sets up the env var like you showed for the deployment, sure. (also your indentation is a bit off but that might just be a bad paste)

-- coderanger
Source: StackOverflow

12/16/2019

Answering to your first question, environment variables passed through env field of a container will be visible everywhere in your container so also in the script you run unless you explicitly unset it.

You can check it by creating this (you should be able to copypaste the example):

apiVersion: v1
kind: Secret
metadata:
  name: test-secret
type: Opaque
data:
  serviceToken: MTIzNDU2Nzg5MAo=     # base64 encoded string: "1234567890"

---
apiVersion: v1
kind: Pod
metadata:
  name: test
spec:
  containers:
  - args:
    - echo
    - hello
    - $(AUTH_TOKEN)
    name: test
    env:
    - name: AUTH_TOKEN
      valueFrom:
          secretKeyRef:
          name: test-secret
          key: serviceToken
    image: centos:7
  restartPolicy: Never

and then when pod completes, check logs and you will see your token:

$ kubectl logs test
hello 1234567890

The same applies to scripts.

Answering you second question; as you probably already saw in example above, using env valueFrom will indeed auto-set your env to the value from secret.

Let me know if it was helpful.

-- HelloWorld
Source: StackOverflow