Environment Variables with Kubernetes Secrets
January 10, 2020
This article is an overview with an example of how to set environment variables for MariaDB or MySQL in a Kubernetes Pod container. Using Kubernetes secrets we can set environment variables in a Pod’s container.
Define a Secret in Kubernetes
The first step is to create a secret in Kubernetes. There are multiple ways to create a secret. This example will create a secret from the command line. Later we will save the secret into a YAML file, so it can be used for other containers in the future.
There are multiple types of secrets. We are going to create a
generic type to hold our environment variables. We can create a generic type at the command line with literal values.
kubectl create secret generic mysqlpwd --from-literal=password=mypassword
This will create a secret we can use in our Pod. This will create a secret called
mysqlpwd and it will have a key named
password with the value
mypassword that is base64 encoded.
It is a good idea to verify what we just created is accurate. To view the new secret and verify it is correct, run this command. This will display the output in YAML format and the variable will be encoded and not encrypted.
kubectl get secret mysqlpwd -o yaml
This will display our secret. Notice in the
data section the key is
password and the value will be base64 encoded and not
apiVersion: v1 data: password: bXlwYXNzd29yZA== kind: Secret metadata: name: mysqlpwd namespace: default type: Opaque
Now that we have a secret created in K8s, lets create a Pod that will use it.
In the Pod’s configuration YAML file, there is a container for MySQL. The
spec section has an
env attribute that we can use our newly
created secret. We
name the environment variable and get the
apiVersion: v1 kind: Pod metadata: name: mysql namespace: default spec: containers: - name: mysql image: mysql env: - name: MYSQL_ROOT_PASSWORD valueFrom: secretKeyRef: name: mysqlpwd key: password
To see more options for
kubectl explain pod.spec.containers.env.valueFrom
Create a new Pod with the above Pod configuration YAML file. The environment variables will be available inside the Pod’s container. You can go inside the container and verify the environment variables exist.
Execute an interactive shell inside the container to view the
kubectl exec -it <pod-name> -- /bin/bash root@mysql : /# env vars list here. . .
If you have multiple containers in a Pod, you will have to specify the container with
-c <container> to get an interactive shell in that container.
Saving Secret In A YAML File
Using the commands to create a secret, you can view the YAML and save it to a
configuration file for future use.
Use a combination of the output option
-o yaml and the dry-run option
--dry-run to see the YAML configuration.
kubectl create secret generic myuser --from-literal=user=sue -o yaml --dry-run
Once you verify it is correct you can redirect it to a YAML file.
kubectl create secret generic myuser --from-literal=user=sue -o yaml --dry-run > my-file-name.yaml
Now you can use the new YAML file to create a secret for different Pods.
Create generic secrets in K8s on the command line. Use the env spec in your Pod’s container to get the valueFrom your secret. For common environment variables create a secrets YAML file to easily create new variables for future Pods.