If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.
There are different ways to configure a container with environment variables.
- In a deployment YAML file
- Using Config Map
- Using Secrets (this article)
Config Maps are used to:
- mount configuration files in a container
- create environment variables in a container
- create command line option arguments in a container
Secrets are similar, used to create variables that contain encoded data (e.g. passwords). In this way, if a change is needed to a configuration file, variable, or command line option argument, you just need to update the config map or secret as opposed to having to make the change to your applications or deployments.
The oc get secret command can be used to list the secrets that have been created in the currently selected project / namespace.
~]# oc get secrets
NAME TYPE DATA AGE
my-secret Opaque 1 133d
The --output yaml or --output json options can be used to display the YAML or JSON details of the secret. Notice that the "foo" key contains "SGVsbG8=" and "bar" contains "V29ybGQ=". This is normal, because the secret value is base64 encoded.
~]$ oc get secrets my-secret --output yaml
apiVersion: v1
data:
bar: V29ybGQ=
foo: SGVsbG8=
kind: Secret
metadata:
creationTimestamp: "2021-11-18T07:12:09Z"
name: mysecret
namespace: default
resourceVersion: "448072461"
uid: 4104a646-84e2-46c3-bd59-408e2f7ee807
type: Opaque
On a Linux system, the base64 command can be used to decode the value.
~]# echo SGVsbG8= | base64 --decode
Hello
~]# echo V29ybGQ= | base64 --decode
World
Let's say you have a deployment named "my-deployment".
~]# oc get deployments
NAME READY UP-TO-DATE AVAILABLE AGE
my-deployment 1/1 1 1 8d
There are two ways to update the deployment to use the foo and bar secrets in my-secret.
- Using the oc edit command
- Using the oc set env command
A secret can be made available to a container:
- As a variable
- As a volume mount (this article)
The oc set volume command can be used to update a deployment so that values in the "foo" and "bar" keys in the secret named "my-secret" can be obtained from files mounted in the container.
AVOID TROUBLE
The name of the secret, which is my-secret in this example, must be an exact match of the name of the secret returned by the oc get secrets command.
~]$ oc set volume deployment my-app --add --type secret --mount-path /var/secrets --secret-name my-secret --read-only
info: Generated volume name: volume-jlbsj
deployment.apps/my-app volume updated
Or the oc edit deployment command can be used to update the deployment YAML.
AVOID TROUBLE
The name of the secret, which is my-secret in this example, must be an exact match of the name of the secret returned by the oc get secrets command.
apiVersion: v1
kind: Deployment
spec:
replicas: 1
template:
spec:
containers:
- name: my-app
image: openshift/my-app:latest
ports:
- containerPort: 80
volumeMounts:
name: my-secret
mountPath: /var/secrets
readOnly: true
volumes:
- name: my-secret
secret:
secretName: my-secret
A new pod should immediately be created after the oc edit command has been completed, and the oc describe pod command can be used to see that the pod is now has the "foo" and "bar" keys.
~]$ oc describe pod my-app-65rbl
Containers:
my-container:
Container ID: my-app
Image ID: my-image
Ports: 8080/TCP, 8443/TCP
Host Ports: 0/TCP, 0/TCP
State: Running
Started: Tue, 02 Aug 2022 06:28:49 -0500
Ready: True
Restart Count: 0
Mounts:
/var/secrets from my-secret (ro)
Volumes:
my-secret:
Type: Secret (a volume populated by a Secret)
SecretName: my-secret
Optional: false
The oc exec command can be used to now see that the secrets have been mounted in the container as symbolic links.
~]$ oc exec pod/my-app-8x2nz -- ls -l /var/secrets
lrwxrwxrwx. 1 root root 10 Aug 28 10:20 bar -> ..data/bar
lrwxrwxrwx. 1 root root 10 Aug 28 10:20 foo -> ..data/foo
And the value of each secret can be viewed.
~]$ oc exec pod/my-app-8x2nz -- cat /var/secrets/foo
Hello
~]$ oc exec pod/my-app-8x2nz -- cat /var/secrets/bar
World
Did you find this article helpful?
If so, consider buying me a coffee over at 