Last active
December 28, 2023 06:02
-
-
Save dhaninugraha/d4dfc553e4663c2211d9db22650c951d to your computer and use it in GitHub Desktop.
k8s - secrets from init container to app container without volumes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This experiment stemmed from the need to fetch and pass secrets into | |
| # an app container without using a shared volume or sidecar container. | |
| # | |
| # In this example, as both the action to set the initial secret values | |
| # and update them with newer values are all inlined in the script, we'll | |
| # be tricking kubectl by adding spec.template.metadata.labels.update, | |
| # which we can later enable before reapplying the manifest (and thus triggering | |
| # the secrets update/patch process). | |
| # | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: test-secret-from-init | |
| spec: | |
| replicas: 1 | |
| selector: | |
| matchLabels: | |
| app: test-secret-from-init | |
| template: | |
| metadata: | |
| labels: | |
| app: test-secret-from-init | |
| # update: "v1" | |
| spec: | |
| serviceAccountName: test-service-account | |
| initContainers: | |
| - name: init-test | |
| image: debian:latest | |
| command: ["/bin/bash", "-c"] | |
| args: | |
| - | | |
| apt update && apt install -qq -y curl | |
| curl -LO "https://storage.googleapis.com/kubernetes-release/release/v1.21.3/bin/linux/amd64/kubectl" | |
| chmod +x kubectl | |
| mv kubectl /usr/local/bin/kubectl | |
| if kubectl get secret test-secret >/dev/null 2>&1; then | |
| echo "Secret already exists. Patching changes..." | |
| kubectl patch secret test-secret -p '{"data":{"KEY1":"'"$(echo -n "new_value3" | base64)"'","KEY2":"'"$(echo -n "new_value4" | base64)"'"}}' | |
| else | |
| echo "Secret does not exist. Creating a new one..." | |
| kubectl create secret generic test-secret --from-literal=KEY1=value1 --from-literal=KEY2=value2 | |
| fi | |
| containers: | |
| - name: app-test | |
| image: debian:latest | |
| envFrom: | |
| - secretRef: | |
| name: test-secret | |
| command: ["/bin/bash", "-c"] | |
| args: | |
| - | | |
| echo "KEY1: ${KEY1}" | |
| echo "KEY2: ${KEY2}" | |
| sleep infinity |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: test-service-account | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRole | |
| metadata: | |
| name: test-cluster-role | |
| rules: | |
| - apiGroups: [""] | |
| resources: ["secrets"] | |
| verbs: ["create", "patch", "get", "list"] | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: test-cluster-role-binding | |
| subjects: | |
| - kind: ServiceAccount | |
| name: test-service-account | |
| namespace: default | |
| roleRef: | |
| kind: ClusterRole | |
| name: test-cluster-role | |
| apiGroup: rbac.authorization.k8s.io |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment