Trying to following the use-case examples given in the official Kubernetes documentation for using secrets as environment variables (referenced here ), I made both my secret and my deployment yaml (which includes a pod spec) as follows:
Secret yaml:
apiVersion: v1
kind: Secret
metadata:
name: my-secret
type: Opaque
data:
LOCAL_UID: dsdgvreRBRBBsdd=
LOCAL_PWD: MmSDkfKDODbOU4NCg==
which is written to the namespace by doing:
kubectl apply -f my-secret.yaml
Likewise, here is the deployment Yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
labels:
app: my-app
spec:
replicas: 3
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
terminationGracePeriodSeconds: 30
containers:
- name: my-app
env:
- name: REPO_APP_URL
value: https://repo.myco.com/project.tar.gz
envFrom:
- secretRef:
name: my-secret
image: repo.myco.com/images/node-alpine:0.1.6
imagePullPolicy: Always
ports:
- containerPort: 8080
readinessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 15
periodSeconds: 15
securityContext:
runAsUser: 1000
imagePullSecrets:
- name: regcredepg
This is run by doing the following
kubectl apply -f my-app.yaml
This actually works great given:
the imagePullSecrets
directive is included in the deployment YAML.
that the name
value given in the imagePullSecrets
section is not the actual secret used in the envFrom: - secretRef:
section.
If I try to set the name of the imagePullSecrets
name field to my-secret
, the pod fails to load (saying Error from server (BadRequest): container "my-app" in pod "my-app-597bb6c9b4-lh8rg" is waiting to start: image can't be pulled
).
Also, it won't allow me to simply remove the imagePullSecrets
section of the YAML in the pod spec, even though the documentation claims it its optional.
So, the only way this will work is if I include the imagePullSecrets
reference to a valid secrets that I am not using in my envFrom: - secretRef:
section. I am sure I am missing some logical obvious issue here. Can anyone shed light on this??
imagePullSecrets
has a different format than just the ID and password. You need to specify the registry FQDN and the username and password. You can find more information in Pull an Image from a Private Registry.