Reputation: 141
Value of Kubernetes secret in environment variable seems incorrect
I'm deploying a test application onto kubernetes on my local computer (minikube) and trying to pass database connection details into a deployment via environment variables.
I'm passing in these details using two methods - a ConfigMap and a Secret. The username (DB_USERNAME) and connection url (DB_URL) are passed via a ConfigMap, while the DB password is passed in as a secret (DB_PASSWORD).
My issue is that while the values passed via ConfigMap are fine, the DB_PASSWORD from the secret appears jumbled - like there's some encoding issue (see image below).
My deployment yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx
name: nginx
envFrom:
- configMapRef:
name: gweb-cm
- secretRef:
name: password
My ConfigMap and Secret yaml
apiVersion: v1
data:
DB_URL: jdbc:mysql://mysql/test?serverTimezone=UTC
DB_USERNAME: webuser
SPRING_PROFILES_ACTIVE: prod
SPRING_DDL_AUTO: create
kind: ConfigMap
metadata:
name: gweb-cm
---
apiVersion: v1
kind: Secret
metadata:
name: password
type: Generic
data:
DB_PASSWORD: test
Not sure if I'm missing something in my Secret definition?
Upvotes: 0
Views: 1880
Answers (2)
Reputation: 83
You can specify Kubernetes Secret values either using data key or stringData key.
When you use data key, you have to encode values in base64. When you use stringData key, Kubernetes encodes values to base64 for you.
stringData is more convenient for a human but you cannot pass binary data this way. In those cases you must use data and encode to base64.
You can also combine both approaches.
Following two manifests are equivalent.
First one uses data key:
apiVersion: v1
kind: Secret
metadata:
name: password
type: Opaque
data:
DB_PASSWORD: dGVzdA== # output from: `echo -n test | base64`
and second manifest uses stringData key:
apiVersion: v1
kind: Secret
metadata:
name: password
type: Opaque
stringData:
DB_PASSWORD: test
See documenation Secret | Kubernetes.
Upvotes: 0
Reputation: 8617
The secret value should be base64 encoded. Instead of test, use the output of
echo -n 'test' | base64
P.S. the Secret's type should be Opaque, not Generic
Upvotes: 1
Related Questions
- Set environment variable in kubernetes secret
- Env variable from AWS Secrets Manager in Kubernetes
- Kubernetes pod environment variable not updated when mapped from secret
- Setting secrets as environment variables in deployment file
- Setting environment variables in kubernetes manifest using "kubectl set env"
- Kubernetes Secret is not stored in encoded format in environment variables
- Use Kubernetes Secret as Environment Variable when secret is create from a file
- Does k8 update environment variables when secrets change?
- Kubernetes environment variable not being correctly used in command
- kubernetes secrets have trailing whitespace in environment variables