CODEWITHSUNDEEP
kubernetes
ysn
ysn

Reputation: 175

Kubernetes pod environment variable not updated when mapped from secret

I am trying to map kubernetes secret value to a environment variable . My secret is as shown below

apiVersion: v1
kind: Secret
metadata:
  name: test-secret
type: opaque
data:
  tls.crt: {{ required "A valid value is required for tls.crt"  .Values.tlscrt }}

Mapped the key to environment variable in the deployment yaml

 env:
 - name: TEST_VALUE
   valueFrom:
       secretKeyRef:
          name: test-secret
          key: tls.crt

The value gets mapped when i do helm install. However when i do helm upgrade , the changed value is not reflected in the environment variable , it still has the old value. Can anyone please help here ?

Upvotes: 2

Views: 3415

Answers (1)

anemyte
anemyte

Reputation: 20286

If the configMap is used to store pod environment variables

ConfigMaps consumed as environment variables are not updated automatically and require a pod restart.

There are ways to automate pod restarts on configMap changes, see here for example: Helm chart restart pods when configmap changes

If the configMap is mounted as a file

In this case pod should see an update, although with some delay:

When a ConfigMap currently consumed in a volume is updated, projected keys are eventually updated as well. The kubelet checks whether the mounted ConfigMap is fresh on every periodic sync. However, the kubelet uses its local cache for getting the current value of the ConfigMap. The type of the cache is configurable using the configMapAndSecretChangeDetectionStrategy field in the KubeletConfiguration struct. A ConfigMap can be either propagated by watch (default), ttl-based, or by redirecting all requests directly to the API server. As a result, the total delay from the moment when the ConfigMap is updated to the moment when new keys are projected to the Pod can be as long as the kubelet sync period + cache propagation delay, where the cache propagation delay depends on the chosen cache type (it equals to watch propagation delay, ttl of cache, or zero correspondingly).

Quotes taken from https://kubernetes.io/docs/concepts/configuration/configmap/#mounted-configmaps-are-updated-automatically (thanks to @jeremysprofile)

Upvotes: 4

Related Questions