24

I use an Kubernetes Init container to provision the application's database. After this is done I want to provide the DB's credentials to the main container via environment variables.

How can this be achieved?

I don't want to create a Kubernetes Secret inside the Init container, since I don't want to save the credentials there!

Improve this question
3
  • Are the credentials generated by init container? If no, you can store credentials in K8s secret before running the application and expose it to both containers via env vars. Commented Mar 30, 2018 at 12:32
  • How about using a shared volume? If you really need environment variables you could potentially set them in the main container based on the content of files. Commented Mar 30, 2018 at 15:06
  • 1.Credentials are generated by the Init Container 2. I also thought about a shared volume; but where to mount the shared volume at an Linux Alpine Container in order to source the env variables inside on startup? ... or at which point run the source command for the environment variables in the shared file? Commented Apr 3, 2018 at 18:57

1 Answer 1

Reset to default
14

I see several ways to achieve what you want:

  1. From my perspective, the best way is to use Kubernetes Secret. @Nebril has already provided that idea in the comments. You can generate it by Init Container and remove it by PreStop hook, for example. But, you don't want to go that way.

  2. You can use a shared volume which will be used by InitConatainer and your main pod. InitContainer will generate the environment variables file db_cred.env in the volume which you can mount, for example, to /env path. After that, you can load it by modifying a command of your container in the Pod spec and add the command source /env/db_cred.env before the main script which will start your application. @user2612030 already gave you that idea.

  3. Another alternative way can be Vault by Hashicorp, you can use it as storage of all your credentials.

  4. You can use some custom solution to write and read directly to Etcd from Kubernetes apps. Here is a library example - k8s-kv.

But anyway, the best and the most proper way to store credentials in Kubernetes is Secrets. It is more secure and easier than almost any other way.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Ad. 1.: But then I have to install kubectl inside the Init container and pass the k8s client secrets in there. Possible but maybe not necessary hassle. Ad. 2. Sounds good! That's what I already tried, but where to place the source /env/db_cred.env command? When writing a RUN statement inside my Dockerfile they are not available for the main CMD. Ad. 3. How to pass the Vault data to the application? If I'm not wrong you then again need an Init container solution. Ad. 4. I don't have the cluster setup in my hand (currently).
Anton, can you please share documentation on how to have an InitContainer write data to Kubenrtes ?
What you mean by "write data to Kubernetes"?
@vusa you have to make it into the application and execute it conditionally... your CMD/ENTRYPOINT would be executing app-boot.sh, in which it would execute source /env/db_cred.ev
Point 2 in some way implemented here stackoverflow.com/questions/67111483/…
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.