I am using kubernetes for a web application deployement.
containers:
- name: myapp
image: tomcat8-jre8:latest
imagePullPolicy: Always
env:
- name: DATABASE_HOST
valueFrom:
secretKeyRef:
name: my-secret
key: external.database.host
- name: DATABASE_USER
valueFrom:
secretKeyRef:
name: my-secret
key: external.database.user
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: my-secret
key: external.database.password
I also use tomcat JNDI with a custom server.xml and catalina.properties
<Resource factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
name="jdbc/mysource"
auth="Container"
type="javax.sql.DataSource"
driverClassName="org.postgresql.Driver"
url="jdbc:postgresql://******" # secret url
username="${database.user}"
password="${database.password}" />
I tried puting a new property into catalina.properties
### catalina specific configuration
database.user = ${DATABASE_USER}
database.password = ${DATABASE_PASSWORD}
server.xml can well read the property but could not resolve the environment variable ${DATABASE_USER} and ${DATABASE_PASSWORD}
Both server.xml and catalina.properties are mounted as config maps, the sensitive information are being held in environment variables. we don't know their values
the environment variable are set when I log into the pod and are recognizable from my webapp (java based) but could not read it from catalina.properties (and/or server.xml)
Can anyone give me a tip on this ? Is it possible to inject environment variables within tomcat configuration ?
Thanks
See https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html.
TLDR; set the system property org.apache.tomcat.util.digester.PROPERTY_SOURCE
to org.apache.tomcat.util.digester.EnvironmentPropertySource
and the environment will be used for variable interpolation on top of system properties.
An alternative, setting system properties from environment variables in setenv.sh
, unfortunately dumps the properties to the console on startup (declaring them 'command line arguments') and thus leaks any secrets shared this way.