skip to Main Content

I am trying to update a helm-deployed deployment so that it uses a secret stored as a k8s secret resource. This must be set as the STORAGE_PASSWORD environment variable in my pod.

In my case, the secret is in secrets/redis and the data item is redis-password:

$ kubectl get secret/redis -oyaml
apiVersion: v1
data:
  redis-password: XXXXXXXXXXXXXXXX=
kind: Secret
metadata:
  name: redis
type: Opaque

I have tried:

$ kubectl set env --from secret/redis deployment/gateway --keys=redis-password
Warning: key redis-password transferred to REDIS_PASSWORD
deployment.apps/gateway env updated

When I look in my updated deployment manifest, I see the variable has been added but (as suggested) the variable has been set to REDIS_PASSWORD:

        - name: REDIS_PASSWORD
          valueFrom:
            secretKeyRef:
              key: redis-password
              name: redis

I have also tried kubectl patch with a replace operation, but I can’t get the syntax correct to have the secret inserted.

How do I change the name of the environment variable to STORAGE_PASSWORD?

2

Answers


  1. you may also update resources with kubectl edit:

    kubectl edit deployment gateway
    

    then edit the yaml file

        # - name: REDIS_PASSWORD
        - name: STORAGE_PASSWORD
          valueFrom:
            secretKeyRef:
              key: redis-password
              name: redis
    

    FYI: https://kubernetes.io/docs/concepts/cluster-administration/manage-deployment/#kubectl-edit

    Login or Signup to reply.
  2. Given a deployment that looks like this:

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: example
    spec:
      replicas: 1
      template:
        spec:
          containers:
            - image: alpinelinux/darkhttpd
              name: darkhttpd
              args:
                - --port
                - "9991"
              ports:
                - name: http
                  protocol: TCP
                  containerPort: 9991
              env:
                - name: EXAMPLE_VAR
                  value: example value
    

    The syntax for patching in your secret would look like:

    kubectl patch deploy/example --patch='
      {
        "spec": {
          "template": {
            "spec": {
              "containers": [
                {
                  "name": "darkhttpd",
                  "env": [
                    {
                      "name": "STORAGE_PASSWORD",
                      "valueFrom": {
                        "secretKeyRef": {
                          "name": "redis",
                          "key": "redis-password"
                        }
                      }
                    }
                  ]
                }
              ]
            }
          }
        }
      }
    '
    

    Or using a JSONPatch style patch:

    kubectl patch --type json deploy/example --patch='
    [
      {
        "op": "add",
        "path": "/spec/template/spec/containers/0/env/-",
        "value": {
          "name": "STORAGE_PASSWORD",
          "valueFrom": {
            "secretKeyRef": {
              "name": "redis",
              "key": "redis-password"
            }
          }
        }
      }
    ]
    '
    

    Neither one is especially pretty because you’re adding a complex nested structure to an existing complex nested structure.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search