Environment Variables with Kubernetes Secrets

Posted by Mike Barkas on Friday January 10, 2020

Set Environment Variables For A Pod's Container

This article is an overview with an example of how to set environment variables for MariaDB or MySQL in a Kubernetes Pod container. Using Kubernetes secrets we can set environment variables in a Pod's container.

Note: Kubernetes secrets are not encrypted, they are encoded and can be easily read by anyone. This example is not secure and is for local development and education.


Define a Secret in Kubernetes

The first step is to create a secret in Kubernetes. There are multiple ways to create a secret. This example will create a secret from the command line. Later we will save the secret into a YAML file so it can be used for other containers in the future.

There are multiple types of secrets. We are going to create a generic type to hold our environment variables. We can create a generic type at the command line with literal values.

kubectl create secret generic mysqlpwd --from-literal=password=mypassword

This will create a secret we can use in our Pod. This will create a secret called mysqlpwd and it will have a key named password with the value mypassword that is base64 encoded.

It is a good idea to verify what we just created is accurate. To view the new secret and verify it is correct, run this command. This will display the output in YAML format and the variable will be encoded and not encrypted.

kubectl get secret mysqlpwd -o yaml

This will display our secret. Notice in the data section the key is password and the value will be base64 encoded and not encrypted.

apiVersion: v1
data:
  password: bXlwYXNzd29yZA==
kind: Secret
metadata:
  name: mysqlpwd
  namespace: default
type: Opaque

Now that we have a secret created in K8s, lets create a Pod that will use it.

In the Pod's configuration YAML file, there is a container for MySQL. The container's spec section has an env attribute that we can use our newly created secret. We name the environment variable and get the valueFrom our secret.

apiVersion: v1
kind: Pod
metadata:
  name: mysql
  namespace: default
spec:
  containers:
  - name: mysql
    image: mysql
    env:
    - name: MYSQL_ROOT_PASSWORD
      valueFrom:
        secretKeyRef:
          name: mysqlpwd
          key: password

To see more options for valueFrom use explain

kubectl explain pod.spec.containers.env.valueFrom

Create a new Pod with the above Pod configuration YAML file. The environment variables will be available inside the Pod's container. You can go inside the container and verify the environment variables exist.

Execute an interactive shell inside the container to view the env variables.

kubectl exec -it <pod-name> -- /bin/bash

root@mysql : /# env
vars list here. . .

If you have multiple containers in a Pod, you will have to specify the container with -c <container> to get an interactive shell in that container.


Saving Secret In A YAML File

Using the commands to create a secret, you can view the YAML and save it to a configuration file for future use. Use a combination of the output option -o yaml and the dry-run option --dry-run to see the YAML configuration.

kubectl create secret generic myuser --from-literal=user=sue -o yaml --dry-run

Once you verify it is correct you can redirect it to a YAML file.

kubectl create secret generic myuser --from-literal=user=sue -o yaml --dry-run > my-file-name.yaml

Now you can use the new YAML file to create a secret for different Pods.

Summary

Create generic secrets in K8s on the command line. Use the env spec in your Pod's container to get the valueFrom your secret. For common environment variables create a secrets YAML file to easily create new variables for future Pods.