1

When using Kubernetes .yml files, I can do the following:

$ cat configmap.yml

apiVersion: v1
kind: ConfigMap
metadata:
  name: my-configmap
data:
  foo: ${FOO}
  bar: ${BAR}
  static: doesNotChange

$ export FOO=myFooVal
$ export BAR=myBarVal
$ cat configmap.yml | envsubst | kubectl apply -f -

This would replace ${FOO} and ${BAR} in the configmap.yml file before actually applying the file to the cluster.

How could I achieve the very same behavior with a Kubernetes secret which has it's data values base64 encoded?

I would need to read all the keys in the data: field, decode the values, apply the environment variables and encode it again.

A tool to decode and encode the data: values inplace would be much appreciated.

Improve this question

1 Answer 1

Reset to default
1

It is actually possible, to store the secret.yml with stringData instead of data which allows to keep the files in plain text (SOPS encryption is still possible and encouraged)

$ cat secret.yml

apiVersion: v1
kind: Secret
metadata:
  name: test-secret
  namespace: default
type: Opaque
stringData:
  dotenv: |
    DATABASE_URL="postgresql://test:test@localhost:5432/test?schema=public"
    API_PORT=${PORT}
    FOO=${FOO}
    BAR=${BAR}

$ export PORT=80
$ export FOO=myFooValue
$ export BAR=myBarValue
$ cat secret.yml | envsubst | kubectl apply -f -

A plus is for sure, that this not only allows for creation of the secret, but updating is also possible.

Just for documentation, here would be the full call with SOPS:

$ sops --decrypt secret.enc.yml | envsubst | kubectl apply -f -
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.