tomcatkubernetescatalinakubernetes-secrets

inject environment variables in tomcat catalina.properties [Kubernetes]


I am using kubernetes for a web application deployement.

  containers:
  - name: myapp
    image: tomcat8-jre8:latest
    imagePullPolicy: Always
    env:     
    - name: DATABASE_HOST
      valueFrom:
        secretKeyRef:
          name: my-secret
          key: external.database.host
    - name: DATABASE_USER
      valueFrom:
        secretKeyRef:
          name: my-secret
          key: external.database.user
    - name: DATABASE_PASSWORD
      valueFrom:
        secretKeyRef:
          name: my-secret
          key: external.database.password

I also use tomcat JNDI with a custom server.xml and catalina.properties

 <Resource factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
            name="jdbc/mysource" 
            auth="Container" 
            type="javax.sql.DataSource" 
            driverClassName="org.postgresql.Driver" 
            url="jdbc:postgresql://******" # secret url
            username="${database.user}"      
            password="${database.password}" />

I tried puting a new property into catalina.properties

### catalina specific configuration
database.user = ${DATABASE_USER}              
database.password = ${DATABASE_PASSWORD}   

server.xml can well read the property but could not resolve the environment variable ${DATABASE_USER} and ${DATABASE_PASSWORD}

Both server.xml and catalina.properties are mounted as config maps, the sensitive information are being held in environment variables. we don't know their values

the environment variable are set when I log into the pod and are recognizable from my webapp (java based) but could not read it from catalina.properties (and/or server.xml)

Can anyone give me a tip on this ? Is it possible to inject environment variables within tomcat configuration ?

Thanks


Solution

  • See https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html.

    TLDR; set the system property org.apache.tomcat.util.digester.PROPERTY_SOURCE to org.apache.tomcat.util.digester.EnvironmentPropertySource and the environment will be used for variable interpolation on top of system properties.

    An alternative, setting system properties from environment variables in setenv.sh, unfortunately dumps the properties to the console on startup (declaring them 'command line arguments') and thus leaks any secrets shared this way.