Kubernetes pod export environment variables from command

Question

I am trying to export environment to an Openshift pod via command. Currently I am able to leverage the command argument to run shell scripts (echo hi as example):

containers:
  command: 
    ['sh', '-c', 'echo hi && /opt/app-root/src/communities/entry.sh; node /opt/app-root/src/communities/main.js; echo $?']

This works well to start up my pod with the logs:

hi
Starting application on 0.0.0.0:8080

However, when I go to export environment variables they do not persist, in this example I'm trying to export MYVAR for use in the pod:

containers:
  command: 
    ['sh', '-c', 'export MYVAR=THIS && /opt/app-root/src/communities/entry.sh; node /opt/app-root/src/communities/main.js; echo $?']

This starts up the pod but MYVAR is not defined!

My end goal is to be able to run a script from Vault at pod start up:

containers:
  command: 
    ['sh', '-c', 'source /vault/secrets/EXSECRET && /opt/app-root/src/communities/entry.sh; node /opt/app-root/src/communities/main.js; echo $?']

Is there a way to set environment variables using a shell command after pod start up?

I've been stuck on this for quite some time and appreciate the help.

EDIT: My config

# THIS PART MOUNTS TO /vault/secrets/test ^
annotations:
        vault.hashicorp.com/agent-inject: 'true'
        vault.hashicorp.com/agent-inject-secret-test: namespace-nonprod/test
        vault.hashicorp.com/agent-inject-template-test: |
          {{`{{- with secret "namespace-nonprod/test" -}}
          export dev_database_host="{{ .Data.data.test1 }}"
          export dev_database_name="{{ .Data.data.test2 }}"
          {{- end }}`}}

 containers:
        - resources: {}
          command:
            ['sh', '-c']
          args:
            ['source /vault/secrets/test && /opt/app-root/src/communities/entry.sh; node /opt/app-root/src/communities/main.js']  # not working ^

I can see the file is correctly mounted:

sh-4.4$ cat /vault/secrets/test
export dev_database_host="asdf1"
export dev_database_name="asdf2"

yet they are not available to env.

Thank you

Why do you think the environment variable isn't being set? `source` is not a POSIX standard Bourne shell command; do you need `.` instead? — David Maze, Mar 31 '23 at 19:11
@DavidMaze I don't think the env var is being set as it isn't defined when I list env. Interestingly, once the pod has spun up I am able to manually run source /vault/secrets/test and then they are defined when listing env :) — Dodd-learning, Mar 31 '23 at 19:19
Can you show the code in your application that accesses the environment? What exactly are you doing when you "list env"? (If it's a `kubectl exec` debugging shell, that's in a secondary process that sees the Kubernetes `env:` variables, but it won't see environment variables only set within the main process.) — David Maze, Mar 31 '23 at 19:44
Interesting. I'm navigating to the pod terminal and just executing the command: ``` env ``` Do you have any suggestions for how to test if they are indeed defined? Note it's not kubectl and from the Openshift UI thanks — Dodd-learning, Mar 31 '23 at 19:58
I'd add a log message to your application code. "Pod terminal" is not that useful, especially in Kubernetes where you will typically have multiple replicas of a Pod and where the cluster can destroy them without your involvement in a couple of cases. — David Maze, Mar 31 '23 at 20:51

Andromeda · Answer 1 · 2023-03-31T18:52:41.963

0

When you set an environment variable, you set a local env, NOT GLOBAL. When you log out, your env is gone.

The best way to set a global env in Kubernetes is to set the env in a configMap(secret) and mount the configMap(secret) into the deployment(or statefulset).

Another approach is to set the Env directly in your deployment definition. More in here.

edited Mar 31 '23 at 18:52

answered Mar 31 '23 at 18:35

Andromeda

1,205
1
14
21

Thanks for the response. Unfortunately for my use case I don't believe setting the config map / directly in ENV will work as these secrets are sourced from [vault](https://developer.hashicorp.com/vault/docs/platform/k8s/injector/examples#vault-agent-injector-examples). Where the guide mentions ' A template should be created that exports a Vault secret as an environment variable and the application container should source those files during startup' – Dodd-learning Mar 31 '23 at 18:45
I could not understand the difficulty with the `configmap`(in this case `secret` is better). You get the secrets from the vault. Put the secrets in the `secret`. Mount it on the deployment and rollout the deployment. And the secrets will be available in the container. – Andromeda Mar 31 '23 at 18:51
Interesting. I have got the secrets mounted to /vault/secrets/test ```yaml sh-4.4$ cat /vault/secrets/test export dev_database_host="asdf1" export dev_database_name="asdf2" ``` Unfortunately they still aren't available. I've updated my question with my current config – Dodd-learning Mar 31 '23 at 18:57

Kubernetes pod export environment variables from command

1 Answers1