0

I am trying to update a helm-deployed deployment so that it uses a secret stored as a k8s secret resource. This must be set as the STORAGE_PASSWORD environment variable in my pod.

In my case, the secret is in secrets/redis and the data item is redis-password:

$ kubectl get secret/redis -oyaml
apiVersion: v1
data:
  redis-password: XXXXXXXXXXXXXXXX=
kind: Secret
metadata:
  name: redis
type: Opaque

I have tried:

$ kubectl set env --from secret/redis deployment/gateway --keys=redis-password
Warning: key redis-password transferred to REDIS_PASSWORD
deployment.apps/gateway env updated

When I look in my updated deployment manifest, I see the variable has been added but (as suggested) the variable has been set to REDIS_PASSWORD:

        - name: REDIS_PASSWORD
          valueFrom:
            secretKeyRef:
              key: redis-password
              name: redis

I have also tried kubectl patch with a replace operation, but I can't get the syntax correct to have the secret inserted.

How do I change the name of the environment variable to STORAGE_PASSWORD?

Improve this question
1
  • If Helm is managing the Kubernetes manifests, I'd try to make this change inside your Helm chart – I would not use kubectl set or kubectl edit on something Helm is managing, since the results will be somewhat unpredictable if you helm upgrade the chart. Can you make this change in the templates/deployment.yaml file instead, maybe gated on some specific {{ if .Values... }} setting? Commented Nov 8, 2022 at 2:17

2 Answers 2

Reset to default
3

Given a deployment that looks like this:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: example
spec:
  replicas: 1
  template:
    spec:
      containers:
        - image: alpinelinux/darkhttpd
          name: darkhttpd
          args:
            - --port
            - "9991"
          ports:
            - name: http
              protocol: TCP
              containerPort: 9991
          env:
            - name: EXAMPLE_VAR
              value: example value

The syntax for patching in your secret would look like:

kubectl patch deploy/example --patch='
  {
    "spec": {
      "template": {
        "spec": {
          "containers": [
            {
              "name": "darkhttpd",
              "env": [
                {
                  "name": "STORAGE_PASSWORD",
                  "valueFrom": {
                    "secretKeyRef": {
                      "name": "redis",
                      "key": "redis-password"
                    }
                  }
                }
              ]
            }
          ]
        }
      }
    }
  }
'

Or using a JSONPatch style patch:

kubectl patch --type json deploy/example --patch='
[
  {
    "op": "add",
    "path": "/spec/template/spec/containers/0/env/-",
    "value": {
      "name": "STORAGE_PASSWORD",
      "valueFrom": {
        "secretKeyRef": {
          "name": "redis",
          "key": "redis-password"
        }
      }
    }
  }
]
'

Neither one is especially pretty because you're adding a complex nested structure to an existing complex nested structure.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Works! The first makes more sense to me (and worked perfectly). One question, though... in the JSONPatch, I'm assuming that the '.../containers/0/...' is a reference to container "0" in a potentially longer list. Is this correct? Either way, I'd tried 100 variations of patch and 'set env' and was unable to get this to work.
.../containers/0/ means "the first item in the list .../containers".
1

you may also update resources with kubectl edit:

kubectl edit deployment gateway

then edit the yaml file

    # - name: REDIS_PASSWORD
    - name: STORAGE_PASSWORD
      valueFrom:
        secretKeyRef:
          key: redis-password
          name: redis

FYI: https://kubernetes.io/docs/concepts/cluster-administration/manage-deployment/#kubectl-edit

Improve this answer

1 Comment

Sorry -- I wasn't specific enough in my question. Yes, I was able to do it with edit, but I was trying to automate the process in a script. Still, this answer is correct.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.