0

I have a secret being used as env var in another env var as follows:

- name: "PWD"
  valueFrom:
    secretKeyRef:
      name: "credentials"
      key: "password"
- name: HOST
  value: "xyz.mongodb.net"
- name: MONGODB_URI 
  value: "mongodb+srv://user:$(PWD)@$(HOST)/db_name?"

When i exec into the container and run env command to see the values of env i see -

mongodb+srv://user:password123  
@xyz.mongodb.net/db_name?

The container logs show error as authentication failure. Is this something that is expected to work in kubernetes ? There docs talk about dependent env vars but do not give example using secrets. Did not find clear explanation on this after extensive search. Only found this one article doing something similar.

Some points to note -

  • The secret is a sealed secret.
  • This is the final manifest's contents, but all this is templated using helm.
  • The value is being used inside a spring boot application

Is the new line after 123 expected ? If this evaluation of env from a secret in another env is possible then what am I doing wrong here ?

Harshit Nagar
  • 368
  • 3
  • 16
  • `$(PWD)@$(HOST)` are these expressions being templated somewhere? – Vishrant Jan 18 '23 at 15:10
  • yes but nothing seems out of ordinary there. The values in the final manifests seem correct. This particular one you mentioned is not being templated and created. This is as is. – Harshit Nagar Jan 18 '23 at 15:11
  • 1
    While Stack Overflow does permit certain questions about Kubernetes, we require that they (like all questions asked here) be specifically related to programming. This question does not appear to be specifically related to programming, but deployment and secret, which makes it off-topic here. You might be able to ask questions like this one on [sf] or [DevOps](https://devops.stackexchange.com/). --- From the looks of it, I'd say that the secret has the new line. – Turing85 Jan 18 '23 at 15:14
  • This question is about how to program (sort of) a kubernetes manifest that can use a secret converted to en env var to evaluate another env var's value. This is something that does not seem to be clearly mentioned anywhere if is possible or not (i apologise if i just could not find it). Does that not qualify ? If some suggestions can add some context on if this is possible and the implementation looks correct then it will become easier to debug and fix. From your suggestion looks like this is very much possible. If you can confirm or add to it. It would be great. Thanks – Harshit Nagar Jan 18 '23 at 15:20
  • Have posted this on devOps.stackExchange - https://devops.stackexchange.com/questions/17265/using-kubernetes-secret-env-var-inside-another-env-var Do I delete the question or wait for close votes ? – Harshit Nagar Jan 19 '23 at 01:46
  • 2
    My intuition looking at this is that the Secret value ends with a newline. If you have permission to `kubectl get secret -o yaml credentials` then you could base64 decode the value and double-check this. – David Maze Jan 19 '23 at 12:07

1 Answers1

2

The issue was with the command used to encode the secret - echo "pasword" | base64. The echo adds a newline character at the end of the string. Using echo -n "password" | base64 fixed the secret. Closing the issue.

Harshit Nagar
  • 368
  • 3
  • 16