I have a set of vendor-provided containers that work together to provide a service, let's call them A, B and C - the Kubernetes cluster runs one of each, in separate pods.
Ideally I would like to deploy this all in one go - meaning I somehow need to create an account in container B (by calling A), then get that value into the environment variable for C.
Some thoughts:
To me, the only viable solution is to put an initContainer on C that will query B (via A) for the security token, then write that to a shared volume. Then I would build on top of container C to read from the shared volume, set the environment variable internal to the container and start the vendor's process. But then I have to manage the secret for the user account.
Are there any improvements on that approach, or anything completely different I haven't considered?
Performing API operations from inside a container is not an antipattern. Block startup of your process on C until the initContainer
runs and updates the Secret
containing the token. Don't use a ConfigMap
for secrets; the Secret
object exists for these purposes, and you can pull a Secret
into a PodSpec
- as env vars, or a volume mount - the same way you pull a ConfigMap
(with some minor syntax variation).
The only trouble I can see you potentially running into is that you'll be dealing with multiple replicas, so you might want to randomise some of the Secret
name. Create it in the initContainer
, pass the randomised name across in the filesystem since Pods
share a filesystem, then consume it in the main container and delete the Secret
after the env var or mount gets set up. Secrets
and ConfigMaps
can disappear after a Pod
starts up without affecting their presence inside the Pod
.
You'll also probably want some way of cleaning up the user accounts, as you're essentially creating a new user every time a replica starts and won't have an opportunity to delete it. A CronJob
might be the way forward for that - list the user accounts matching your naming convention, then restart the deployment and delete the accounts in the list you fetched before the restart. That way you won't be pulling the rug out on any active replicas.