22

I use an Kubernetes Init container to provision the application's database. After this is done I want to provide the DB's credentials to the main container via environment variables.

How can this be achieved?

I don't want to create a Kubernetes Secret inside the Init container, since I don't want to save the credentials there!

Andrew Lohr
  • 5,380
  • 1
  • 26
  • 38
vuza
  • 2,494
  • 2
  • 12
  • 12
  • Are the credentials generated by init container? If no, you can store credentials in K8s secret before running the application and expose it to both containers via env vars. – Nebril Mar 30 '18 at 12:32
  • How about using a shared volume? If you really need environment variables you could potentially set them in the main container based on the content of files. – ewramner Mar 30 '18 at 15:06
  • 1.Credentials are generated by the Init Container 2. I also thought about a shared volume; but where to mount the shared volume at an Linux Alpine Container in order to source the env variables inside on startup? ... or at which point run the source command for the environment variables in the shared file? – vuza Apr 03 '18 at 18:57

1 Answers1

10

I see several ways to achieve what you want:

  1. From my perspective, the best way is to use Kubernetes Secret. @Nebril has already provided that idea in the comments. You can generate it by Init Container and remove it by PreStop hook, for example. But, you don't want to go that way.

  2. You can use a shared volume which will be used by InitConatainer and your main pod. InitContainer will generate the environment variables file db_cred.env in the volume which you can mount, for example, to /env path. After that, you can load it by modifying a command of your container in the Pod spec and add the command source /env/db_cred.env before the main script which will start your application. @user2612030 already gave you that idea.

  3. Another alternative way can be Vault by Hashicorp, you can use it as storage of all your credentials.

  4. You can use some custom solution to write and read directly to Etcd from Kubernetes apps. Here is a library example - k8s-kv.

But anyway, the best and the most proper way to store credentials in Kubernetes is Secrets. It is more secure and easier than almost any other way.

Anton Kostenko
  • 8,200
  • 2
  • 30
  • 37
  • Ad. 1.: But then I have to install kubectl inside the Init container and pass the k8s client secrets in there. Possible but maybe not necessary hassle. Ad. 2. Sounds good! That's what I already tried, but where to place the `source /env/db_cred.env` command? When writing a RUN statement inside my Dockerfile they are not available for the main CMD. Ad. 3. How to pass the Vault data to the application? If I'm not wrong you then again need an Init container solution. Ad. 4. I don't have the cluster setup in my hand (currently). – vuza Apr 04 '18 at 14:36
  • Anton, can you please share documentation on how to have an InitContainer write data to Kubenrtes ? –  Nov 02 '18 at 20:28
  • What you mean by "write data to Kubernetes"? – Anton Kostenko Nov 03 '18 at 11:11
  • @vusa you have to make it into the application and execute it conditionally... your `CMD/ENTRYPOINT` would be executing `app-boot.sh`, in which it would execute `source /env/db_cred.ev` – Marcello DeSales Nov 10 '18 at 10:10
  • Point 2 in some way implemented here https://stackoverflow.com/questions/67111483/how-to-create-a-secret-in-the-k8s-cluster-from-a-pods-container – Rohit Salecha Jan 20 '22 at 11:17