I am trying to update a helm-deployed deployment so that it uses a secret stored as a k8s secret resource. This must be set as the STORAGE_PASSWORD environment variable in my pod.
In my case, the secret is in secrets/redis and the data item is redis-password:
$ kubectl get secret/redis -oyaml apiVersion: v1 data: redis-password: XXXXXXXXXXXXXXXX= kind: Secret metadata: name: redis type: Opaque
I have tried:
$ kubectl set env --from secret/redis deployment/gateway --keys=redis-password Warning: key redis-password transferred to REDIS_PASSWORD deployment.apps/gateway env updated
When I look in my updated deployment manifest, I see the variable has been added but (as suggested) the variable has been set to REDIS_PASSWORD:
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
key: redis-password
name: redis
I have also tried kubectl patch with a replace operation, but I can't get the syntax correct to have the secret inserted.
How do I change the name of the environment variable to STORAGE_PASSWORD?
Given a deployment that looks like this:
apiVersion: apps/v1
kind: Deployment
metadata:
name: example
spec:
replicas: 1
template:
spec:
containers:
- image: alpinelinux/darkhttpd
name: darkhttpd
args:
- --port
- "9991"
ports:
- name: http
protocol: TCP
containerPort: 9991
env:
- name: EXAMPLE_VAR
value: example value
The syntax for patching in your secret would look like:
kubectl patch deploy/example --patch='
{
"spec": {
"template": {
"spec": {
"containers": [
{
"name": "darkhttpd",
"env": [
{
"name": "STORAGE_PASSWORD",
"valueFrom": {
"secretKeyRef": {
"name": "redis",
"key": "redis-password"
}
}
}
]
}
]
}
}
}
}
'
Or using a JSONPatch style patch:
kubectl patch --type json deploy/example --patch='
[
{
"op": "add",
"path": "/spec/template/spec/containers/0/env/-",
"value": {
"name": "STORAGE_PASSWORD",
"valueFrom": {
"secretKeyRef": {
"name": "redis",
"key": "redis-password"
}
}
}
}
]
'
Neither one is especially pretty because you're adding a complex nested structure to an existing complex nested structure.