K
Q

Pass Secret values/environment var to the flexvol options

3/6/2020

I'm trying to use k8s secrets or having environment variables from my local environment to set the flexvol options values, is that possible?

I can see secrets mounted successfully but the flexvol is not able to be mount successfully. Appreciate if there is any different solution other than secrets if any.

The deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-deployment
  namespace: default
  labels:
    app: my-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-deployment
  template:
    metadata:
      labels:
        app: my-deployment
    spec:
      containers:
      - image: traefik:1.7.7-alpine
        name: traefik
        livenessProbe:
          tcpSocket:
            port: 80
          failureThreshold: 3
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 2
        volumeMounts:
        - name: certs 
          mountPath: /certs
        ports:
        - name: http
          containerPort: 80
          protocol: TCP
        env:
        - name: KV_NAME
          valueFrom:
            secretKeyRef:
              name: flexvol-var-secret
              key: keyvaultname
        - name: KV_OBJ_NAME
          valueFrom:
            secretKeyRef:
              name: flexvol-var-secret
              key: keyvaultobjectname
        - name: TENANT_ID
          valueFrom:
            secretKeyRef:
              name: flexvol-var-secret
              key: tenantid
        - name: RESOURCE_GROUP
          valueFrom:
            secretKeyRef:
              name: flexvol-var-secret
              key: resourcegroup
        - name: SUB_ID
          valueFrom:
            secretKeyRef:
              name: flexvol-var-secret
              key: subscriptionid
      volumes:
      - name: certs
        flexVolume:
          driver: "azure/kv"
          secretRef:
            name: kvcreds
          options:
            keyvaultname: ${KV_NAME}
            keyvaultobjectname: ${KV_OBJ_NAME}
            keyvaultobjecttype: "secret"
            tenantid: ${TENANT_ID}
            resourcegroup: ${RESOURCE_GROUP}
            subscriptionid: ${SUB_ID}

The secret.yaml

kind: Secret
apiVersion: v1
metadata:
  name: flexvol-var-secret
  labels:
    name: flexvol-var-secret
  annotations:
    description: Template for flexVolume variables values
stringData:
  keyvaultname: "###"
  keyvaultobjectname: "###"
  tenantid: ""###"
  resourcegroup: "###"
  subscriptionid: "###"
-- Helay
azure-keyvault
azure-kubernetes
kubernetes

Similar Questions

Istio interpreting regular service as his thus throwing port error
mysql container won't start on kubernetes when backed by NFS Dynamic provisioner
IBM Cloud stable/mongodb chart with persistenceVolumeClaims
Load different kubectl configs beside default one in IntelliJ IDEA

1 Answer

3/7/2020

I've been looking into the same thing and it's not really possible without external tools.

The problem is that flexvolume is only taking the credentials from secret, but rest is considered configuration and needs to be passed in. What you want to do here is essentially variable substitution, which kubernetes does not, and will not support: https://github.com/kubernetes/kubernetes/issues/52787#issuecomment-369645645

On the bright side, you can use any tool to substitute those values with variables from your env variables, from a bash/ps script, up to proper kubernetes deployment solutions like helm.

KV flexvolume is open-source, so could also be modified to handle this use-case

-- Daniel
Source: StackOverflow