K
Q

How does AKS handle the .env file in a container?

11/10/2021

Assume there is a backend application with a private key stored in a .env file.

For the project file structure:

|-App files
|-Dockerfile
|-.env

If I run the docker image locally, the application can be reached normally by using a valid public key during the API request. However, if I deploy the container into AKS cluster by using same docker image, the application failed.

I am wondering how the container in a AKS cluster handle the .env file. What should I do to solve this problem?

-- Yuk Chan
azure-aks
containers
docker
environment-variables
kubernetes

Similar Questions

Kubernetes Dashboard, CrashLoopBackOff, user not in namespace "kube-system"
How does kube-proxy configure services of type nodePort?
K8s doesn't mount files on Persistent Volume
spinnaker mount volume from configmap in read/write mode (0666)
Cannot access pod via pod IP from within the cluster, causing liveness / readiness probe failure

1 Answer

11/18/2021

Moving this out of comments for better visibility.

First and most important is docker is not the same as kubernetes. What works on docker, won't work directly on kubernetes. Docker is a container runtime, while kubernetes is a container orchestration tool which sits on top of docker (not always docker now, containerd is used as well).

There are many resources on the internet which describe the key difference. For example this one is from microsoft docs

First configmaps and secrets should be created:

Creating and managing configmaps and creating and managing secrets

There are different types of secrets which can be created.

  1. Use configmaps/secrets as environment variables.

Further referring to configMaps and secrets as environment variables looks like (configmaps and secrets have the same structure):

apiVersion: v1
kind: Pod
metadata: 
  name: pod-example
spec: 
  containers: 
    - ...
      env: 
        - 
          name: ADMIN_PASS
          valueFrom: 
            secretKeyRef: # here secretref is used for sensitive data
              key: admin
              name: admin-password
        - 
          name: MYSQL_DB_STRING
          valueFrom: 
            configMapKeyRef: # this is not sensitive data so can be used configmap
              key: db_config
              name: connection_string
      ...
  1. Use configmaps/secrets as volumes (it will be presented as file).

Below the example of using secrets as files mounted in a specific directory:

apiVersion: apps/v1
kind: Deployment
metadata:
...
    spec:
      containers:
      - ...
        volumeMounts:
        - name: secrets-files
          mountPath: "/mnt/secret.file1"  # "secret.file1" file will be created in "/mnt" directory
          subPath: secret.file1
      volumes:
        - name: secrets-files
          secret:
            secretName: my-secret # name of the Secret

There's a good article which explains and shows use cases of secrets as well as its limitations e.g. size is limited to 1Mb.

-- moonkotte
Source: StackOverflow