skip to Main Content

I have a service which needs secret to be available before the pod starts.
I added a volume for secret

    - name: cert
      secret:
        secretName: service-bhr-proxy-certificate

This volume is mounted in init-container.

        image: gaming-nginx-ssl-proxy:1.0.0
        imagePullPolicy: IfNotPresent
        name: service-bhr-proxy-certificate
        volumeMounts:
        - mountPath: /etc/nginx/certs_intermit
          name: cert

My understanding is secret file will available under /etc/nginx/certs_intermit before container starts. I even tried creating a another empty volume and mounting it on init-container and copying the secret to it. No luck. Any kind of help is appreciated.

2

Answers


  1. Did you tried mounting the volume to main container also ?

    Please refer this:

    spec:
      template:
        spec:
          containers:
          - image: "my-image:latest"
            name: my-app
            ...
            volumeMounts:
              - mountPath: "/var/my-app"
                name: ssh-key
                readOnly: true
         initContainers:
         - command:
         - sh
         - -c
         - chown -R 1000:1000 /var/my-app #if any changes required
         image: busybox:1.29.2
         name: set-dir-owner
         securityContext:
           privileged: true
         volumeMounts:
         - mountPath: /var/my-app
           name: ssh-key
        volumes:
            - name: ssh-key
              secret:
                secretName: ssh-key
    

    Full example

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: secret-manager
      labels:
        app: my-app
    spec:
      replicas: 2
      selector:
        matchLabels:
          app: my-app
      template:
        metadata:
          labels:
            app: my-app
        spec:
          volumes:
          - name: secret-volume
            emptyDir: {}
          initContainers:
          - name: init-secret
            image: <Imagename>:latest
            imagePullPolicy: Always
            env:
            - name: SECRET_FILE_PATH
              value: "/secret/secret.env"
            volumeMounts:
              - mountPath: /secret
                name: secret-volume
          containers:
          - name: main-app
            image: busybox
            imagePullPolicy: Always
            command: ["/bin/sh", "-c"]
            args:
              - "source /secret/secret.env && while true; do echo 'nn$DB_PASSWORD = '$DB_PASSWORD; echo 'nContents of secret.env file:'; cat /secret/secret.env;  sleep 2; done"
            env:
              - name: SECRET_FILE_PATH
                value: "/secret/secret.env"
            volumeMounts:
              - mountPath: /secret
                name: secret-volume
    
    Login or Signup to reply.
  2. In your case, you need to use a shared volume. And you need to Mount this volume both in the init-container and main container. Then data or file will be in main-container of the pod. you can read more about shared volume here.

    Lets discuss a example here:

    step-1: First we need create a secret. Lets create a dummy one.

    secret.yaml

    apiVersion: v1
    kind: Secret
    metadata:
      name: server-secert
      namespace: demo
    type: Opaque
    stringData:
      # You can include additional key value pairs as you do with Opaque Secrets
      hello.txt: "hello from secret"
      demo.txt: "this is a demo"
    

    let’s apply this one:

    kubectl apply -f secret.yaml
    

    step-2 Now, Lets create a pod with shared volume mount in init-container and also on main container.

    apiVersion: v1
    kind: Pod
    metadata:
      name: shared-demo
      namespace: demo
    spec:
      initContainers:
      - name: init-secret
        image: alpine
        imagePullPolicy: Always
        volumeMounts:
          - mountPath: /shared
            name: shared-volume
      containers:
      - name: main-app
        image: busybox
        imagePullPolicy: IfNotPresent
        command: ["/bin/sh", "-c"]
        args:
          - "ls /shared; cat /shared/hello.txt; sleep 3600;"
        volumeMounts:
          - mountPath: /shared
            name: shared-volume
      volumes: 
        - name: shared-volume
          secret:
            secretName: server-secert
    

    Now let’s apply this one:

    kubectl apply -f pod.yaml
    

    then you can see the log:

    kubectl logs -n demo shared-demo
    

    you can also check with exec into pod:

    kubectl exec -it -n demo shared-demo -c main-app -- sh
    
    

    let’s ls /shared path.

    ls /shared
    
    $ cat /shared/demo.txt
    this is a demo
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search