Search code examples
kubernetesyamlkubernetes-helmkubernetes-secrets

helm reference secret in deployment yaml

I'm looking for a possible way to reference the secrets in my deployment.yaml (1 liner)

Currently I'm using the

containers:
        - name: {{ template "myapp.name" . }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
          imagePullPolicy: Always
          env:
            - name: COUCHDB_USER
              valueFrom:
                secretKeyRef:
                  name: {{ .Release.Name }}-secrets
                  key: COUCHDB_USER
            - name: COUCHDB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: {{ .Release.Name }}-secrets
                  key: COUCHDB_PASSWORD

With the minimal modification possible, I want to achieve something like this:

containers:
        - name: {{ template "myapp.name" . }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
          imagePullPolicy: Always
          env:
            - name: COUCHDB_URL
              value: http://${COUCHDB_USER}:${COUCHDB_PASSWORD}@{{ .Release.Name }}-couchdb:5984

Just carious if I can do this in 1 step in during the deployment, instead of passing 2 env vars and parse them in my application.

Solution

  • I am not seeing any way to achieve it without setting COUCHDB_USER and COUCHDB_PASSWORD in container env.

    One workaround is, you can specify your secret in container.EnvFrom and all your secret keys will be converted to Environment variables. then, You can use those environment variables to create your composite env (ie, COUCHDB_URL).

    FYI, To create env from another env in kubernetes, () is used. Curly braces {} won't work at this very moment.

    One sample is, 

    apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  COUCHDB_USER: YWRtaW4=
  COUCHDB_PASSWORD: MWYyZDFlMmU2N2Rm
---
apiVersion: v1
kind: Pod
metadata:
  name: secret-env-pod
spec:
  containers:
  - name: mycontainer
    image: redis
    envFrom:
    - secretRef:
        name: mysecret
    env:
    - name: COUCHDB_URL
      value: http://$(COUCHDB_USER):$(COUCHDB_PASSWORD)rest-of-the-url

    You can confirm, the output by,

    $ kubectl exec -it secret-env-pod bash

root@secret-env-pod:/data# env | grep COUCHDB
COUCHDB_URL=http://admin:1f2d1e2e67dfrest-of-the-url
COUCHDB_PASSWORD=1f2d1e2e67df
COUCHDB_USER=admin

    In your case, the yaml for container is:

        containers:
    - name: {{ template "myapp.name" . }}
      image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
      imagePullPolicy: Always
      envFrom:
      - secretRef:
          name: {{ .Release.Name }}-secrets
      env:
      - name: COUCHDB_URL
        value: http://$(COUCHDB_USER):$(COUCHDB_PASSWORD)@{{ .Release.Name }}-couchdb:5984