Loading environment variables from secrets in Kubernetes

#best-practice #devops #kubernetes #pattern

In Kubernetes, it's a good idea to keep your environment variables in secrets.

You can do this by using kubectl:

1$ kubectl create secret generic my-env-vars \
2        --from-literal="VAR1=myhost.yellowduck.be" \
3        --from-literal="VAR2=production"

One of the frequent use cases is to use these environment variables from a container in a deployment. You can reference them as follows:

 1apiVersion: apps/v1
 2kind: Deployment
 3metadata:
 4  name: my-deployment
 5  labels:
 6    app: my-deployment
 7spec:
 8  replicas: 1
 9  selector:
10    matchLabels:
11      app: my-deployment
12  template:
13    metadata:
14      labels:
15        app: my-deployment
16    spec:
17      containers:
18      - name: my-deployment
19        image: <my-docker-user>/<my-docker-private-repo<
20      imagePullSecrets:
21      - name: <my-secret-name>
22      envFrom:
23      - secretRef:
24          name: my-env-vars

The nice thing is that you can combine the environment variables from multiple secrets. Imagine you have two secrets containing environment variables:

1$ kubectl create secret generic my-env-vars1 \
2        --from-literal="VAR1=myhost.yellowduck.be" \
3        --from-literal="VAR2=production"
4$ kubectl create secret generic my-env-vars2 \
5        --from-literal="VAR3=secret-key" \
6        --from-literal="VAR4=db-conn"

You can use both in your deployment by adding two secretRef values (as envFrom is an array):

 1apiVersion: apps/v1
 2kind: Deployment
 3metadata:
 4  name: my-deployment
 5  labels:
 6    app: my-deployment
 7spec:
 8  replicas: 1
 9  selector:
10    matchLabels:
11      app: my-deployment
12  template:
13    metadata:
14      labels:
15        app: my-deployment
16    spec:
17      containers:
18      - name: my-deployment
19        image: <my-docker-user>/<my-docker-private-repo<
20      imagePullSecrets:
21      - name: <my-secret-name>
22      envFrom:
23      - secretRef:
24          name: my-env-vars1
25      - secretRef:
26          name: my-env-vars2

If this post was enjoyable or useful for you, please share it! If you have comments, questions, or feedback, you can email my personal email. To get new posts, subscribe use the RSS feed.