Environment Variables with Kubernetes Secrets
January 10, 2020
This article is an overview with an example of how to set environment variables for MariaDB or MySQL in a Kubernetes Pod container. Using Kubernetes secrets we can set environment variables in a Pod’s container.
Define a Secret in Kubernetes
The first step is to create a secret in Kubernetes. There are multiple ways to create a secret. This example will create a secret from the command line. Later we will save the secret into a YAML file, so it can be used for other containers in the future.
There are multiple types of secrets. We are going to create a generic
type to hold our environment variables. We can create a generic type at the command line with literal values.
kubectl create secret generic mysqlpwd --from-literal=password=mypassword
This will create a secret we can use in our Pod. This will create a secret called
mysqlpwd
and it will have a key named password
with the value
mypassword
that is base64 encoded.
It is a good idea to verify what we just created is accurate. To view the new secret and verify it is correct, run this command. This will display the output in YAML format and the variable will be encoded and not encrypted.
kubectl get secret mysqlpwd -o yaml
This will display our secret. Notice in the data
section the key is password
and the value will be base64 encoded and not
encrypted.
apiVersion: v1
data:
password: bXlwYXNzd29yZA==
kind: Secret
metadata:
name: mysqlpwd
namespace: default
type: Opaque
Now that we have a secret created in K8s, lets create a Pod that will use it.
In the Pod’s configuration YAML file, there is a container for MySQL. The
container’s spec
section has an env
attribute that we can use our newly
created secret. We name
the environment variable and get the valueFrom
our secret.
apiVersion: v1
kind: Pod
metadata:
name: mysql
namespace: default
spec:
containers:
- name: mysql
image: mysql
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysqlpwd
key: password
To see more options for valueFrom
use explain
kubectl explain pod.spec.containers.env.valueFrom
Create a new Pod with the above Pod configuration YAML file. The environment variables will be available inside the Pod’s container. You can go inside the container and verify the environment variables exist.
Execute an interactive shell inside the container to view the env
variables.
kubectl exec -it <pod-name> -- /bin/bash
root@mysql : /# env
vars list here. . .
If you have multiple containers in a Pod, you will have to specify the container with -c <container>
to get an interactive shell in that container.
Saving Secret In A YAML File
Using the commands to create a secret, you can view the YAML and save it to a
configuration file for future use.
Use a combination of the output option -o yaml
and the dry-run option --dry-run
to see the YAML configuration.
kubectl create secret generic myuser --from-literal=user=sue -o yaml --dry-run
Once you verify it is correct you can redirect it to a YAML file.
kubectl create secret generic myuser --from-literal=user=sue -o yaml --dry-run > my-file-name.yaml
Now you can use the new YAML file to create a secret for different Pods.
Summary
Create generic secrets in K8s on the command line. Use the env spec in your Pod’s container to get the valueFrom your secret. For common environment variables create a secrets YAML file to easily create new variables for future Pods.