Set environment variable in kubernetes secret

Question

When using Kubernetes .yml files, I can do the following:

$ cat configmap.yml

apiVersion: v1
kind: ConfigMap
metadata:
  name: my-configmap
data:
  foo: ${FOO}
  bar: ${BAR}
  static: doesNotChange

$ export FOO=myFooVal
$ export BAR=myBarVal
$ cat configmap.yml | envsubst | kubectl apply -f -

This would replace ${FOO} and ${BAR} in the configmap.yml file before actually applying the file to the cluster.

How could I achieve the very same behavior with a Kubernetes secret which has it's data values base64 encoded?

I would need to read all the keys in the data: field, decode the values, apply the environment variables and encode it again.

A tool to decode and encode the data: values inplace would be much appreciated.

Answer 1

It is actually possible, to store the secret.yml with stringData instead of data which allows to keep the files in plain text (SOPS encryption is still possible and encouraged)

$ cat secret.yml

apiVersion: v1
kind: Secret
metadata:
  name: test-secret
  namespace: default
type: Opaque
stringData:
  dotenv: |
    DATABASE_URL="postgresql://test:test@localhost:5432/test?schema=public"
    API_PORT=${PORT}
    FOO=${FOO}
    BAR=${BAR}

$ export PORT=80
$ export FOO=myFooValue
$ export BAR=myBarValue
$ cat secret.yml | envsubst | kubectl apply -f -

A plus is for sure, that this not only allows for creation of the secret, but updating is also possible.

Just for documentation, here would be the full call with SOPS:

$ sops --decrypt secret.enc.yml | envsubst | kubectl apply -f -