1

Is it possible write write an existing environment variable into a file from a Kubernetes deployment.yaml file?

The background: I've already parsed a json containing secrets. Now, I'd like to store that secret in a local file.

So far, I've tried something like this:

      lifecycle:
        postStart:
          exec:
            command: ["/bin/sh", "-c"],
            args: ["echo $PRIVATE_KEY > /var/private.key"]

( I've setup /var/ as an empty writeVolume. )

Or perhaps there is a completely different way to do this, such as storing the secret in it's own, separate secret?

Improve this question

2 Answers 2

Reset to default
1

Usually when we need to read some secrets from a secret manager, we use an init container, and we create an emptyDir shared between the pods to write the secrets and access them from the other containers. In this case you can use a different docker image with secret manager dependencies and creds, without install those dependencies and provide the creds to the main container:

apiVersion: v1
kind: Pod
metadata:
  name: test-pd
spec:
  initContainers:
  - name: init-container
    image: alpine
    command:
    - /bin/sh
    - -c
    - 'echo "test_value" > /mnt/volume/var.txt'
    volumeMounts:
    - mountPath: /mnt/volume
      name: shared-storage
  containers:
  - image: alpine
    name: test-container
    command:
    - /bin/sh
    - -c
    - 'READ_VAR=$(cat /mnt/volume/var.txt) && echo "main_container: ${READ_VAR}"'
    volumeMounts:
    - mountPath: /mnt/volume
      name: shared-storage
  volumes:
  - name: shared-storage
    emptyDir: {}

Here is the log:

$ kubectl logs test-pd
main_container: test_value
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

This might be what I'm looking for. Why the need for the init container? Can't it all be done in one container?
That depends on your use case, if the main container has an access to this variable, yes you can do that, but in other use cases, as I mentioned in my answer, if you want to read a secret from somewhere, probably you need to install some libs, and add some credentials, in order to avoid increasing the docker image size, and adding this creds to the main image, we do that in the init container, also if you have multiple container, the init container can do that once before starting the other containers…
1

Rather than using postStart , I'd suggest you use an init container, the postStart hook doesn't guarantee that it will be executed before the container ENTRYPOINT.

You can define your environment variables in your deployment manifest, by setting static values or referencing a configMap or secret. Your init container would run a bash script that writes the content of each variable to a file.

A second approach would be to mount a configMap as a volume inside your pod, e.g.:

apiVersion: v1
kind: ConfigMap
metadata:
  name: special-config
  namespace: default
data:
  SPECIAL_LEVEL: very
  SPECIAL_TYPE: charm

apiVersion: v1
kind: Pod
metadata:
  name: dapi-test-pod
spec:
  containers:
    - name: test-container
      image: k8s.gcr.io/busybox
      command: [ "/bin/sh", "-c", "ls /etc/config/" ]
      volumeMounts:
      - name: config-volume
        mountPath: /etc/config
  volumes:
    - name: config-volume
      configMap:
        # Provide the name of the ConfigMap containing the files you want
        # to add to the container
        name: special-config
  restartPolicy: Never

That would create two files inside /etc/config, named as the key defined in your configMap with the content of its value.

Improve this answer

4 Comments

Probably accepted, but need to try. Can you explain what "ls /etc/config/" is doing there? Why list the files?
It was just an example, you can read more about it here kubernetes.io/docs/tasks/configure-pod-container/…
Doesn't seem that example really applies...
@CharlieDalsass that's a second approach, if you strictly want to write everything to a file, then use the first one using an init container.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.