Using Kubernetes Secrets as Environment Variables

Madeesha Fernando
Apr 11 · 2 min read

When you create a Pod in kubernetes, you can set environment variables for the containers that run in the Pod. To set environment variables you can use ‘env’ field in the deployment yaml configuration file which used to create the pod.

---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: gateway-deployment
spec:
replicas: 1
template:
metadata:
labels:
app: gateway
spec:
containers:
-
env:
-
name: WSO2_CLOUD_ORG_KEY
value: mycompany
-
name: WSO2_CLOUD_EMAIL
value: sample-email@wso2.com
-
name: WSO2_CLOUD_PASSWORD
value: password
image: "docker.cloud.wso2.com/onprem-gateway:2.5.0"
imagePullPolicy: Always
name: gateway
ports:
-
containerPort: 80
~

Since the above environment variable contains sensitive information such as username and password, it is better to use kubernetes secrets to store the above information. Another advantage is, multiple pods can refer a common secret file as well so you do not need to replicate the same information in multiple places.

You can create a kubernetes secret using the following simple YAML file.

apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
stringData:
WSO2_CLOUD_ORG_KEY: "mycompany"
WSO2_CLOUD_EMAIL: "sample-email@wso2.com"
WSO2_CLOUD_PASSWORD: "password"
~

Then deploy the above secret file as follows,

kubectl apply -f mysecret.yaml

If you run the below command, you will be able to see that the secret data has been encoded when deploying.

kubectl get secret mysecret -o yaml

Now you can access the above secret data from the container easily. See the modified deployment YAML file which uses secret data as the values of the environment variables.

--- 
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: gateway-deployment
spec:
replicas: 1
template:
metadata:
labels:
app: gateway
spec:
containers:
-
env:
-
name: WSO2_CLOUD_ORG_KEY
valueFrom:
secretKeyRef:
name: mysecret
key: WSO2_CLOUD_ORG_KEY
-
name: WSO2_CLOUD_EMAIL
valueFrom:
secretKeyRef:
name: mysecret
key: WSO2_CLOUD_EMAIL
-
name: WSO2_CLOUD_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: WSO2_CLOUD_PASSWORD
image: "docker.cloud.wso2,com/onprem-gateway:2.5.0"
imagePullPolicy: Always
name: gateway
ports:
-
containerPort: 80

Please modify the image name, label-name and environment variable details as per your requirements in the above files.

Follow us on Twitter 🐦 and Facebook 👥 and join our Facebook Group 💬.

To join our community Slack 🗣️ and read our weekly Faun topics 🗞️, click here⬇

If this post was helpful, please click the clap 👏 button below a few times to show your support for the author! ⬇

Faun

The Must-Read Publication for Aspiring Developers & DevOps Enthusiasts

Madeesha Fernando

Written by

Senior Software Engineer at WSO2 | UOM SL graduate

Faun

Faun

The Must-Read Publication for Aspiring Developers & DevOps Enthusiasts

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade