azure-key-vault-to-kubernetes icon indicating copy to clipboard operation
azure-key-vault-to-kubernetes copied to clipboard

Published 20 hours ago verified publisher icon SparebankenVest

Injection doesn't deal with variable references

Open theseion opened this issue 3 years ago • 4 comments

Kubernetes allows for environment variables to be composed of references to other environment variables: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables. When such a composed variable references an injected variable an error occurs because the resulting string doesn't (usually) match any existing AzureKeyVaultSecret.

The following line produces the invalid AzureKeyVaultSecret string: https://github.com/SparebankenVest/azure-key-vault-to-kubernetes/blob/37f73d5ed967cb20b7b13a9be182c4728d162bc8/cmd/azure-keyvault-env/main.go#L292

Example:

env:
  - name: PREFIX
    value: prefix
  - name: SUFFIX
    value: suffix
  - name: COMPOSED
    value: $(PREFIX)@$(SUFFIX)

A context this can appear in is when constructing the username for a Postgres database: username@postgres-host.

theseion avatar Sep 16 '21 13:09 theseion

Hi, Thank you for reaching out. Yes you are right, this is not possible. The secret is not reachable outside of the application process. Is this a blocker for you? Maybe importing it as a secret and referencing that would solve your use case?

Haavare avatar Sep 21 '21 12:09 Haavare

I managed to get around it for now, so this isn't high priority for me.

I think this can be fixed by skipping references, because they will be expanded later to the value of the referenced variable, which then will hold the secret.

theseion avatar Sep 22 '21 05:09 theseion

I think I understand the suggestion now. If a ENV var has a parameter expansion referencing a secret yet to be injected, this should be delayed until the secret has been injected.

Haavare avatar Oct 22 '21 10:10 Haavare

Stumbled across the same issue. Using interpolated secret-injected env vars was indeed not possible. So, this approach:

            - name: MONGO_CS
              value: mongo_cs@azurekeyvault$(REGION)

or this

            - name: MONGO_CS
              value: mongo_cs@azurekeyvault
            - name: MONGO_URI
              value: $(MONGO_CS)$(REGION)

did not work.

Worked around it by importing it as a secret and mounting it as an env var

            - name: MONGO_CS
              valueFrom:
                secretKeyRef:
                  name: sct-mongo-cs
                  key: connection_string
            - name: MONGO_URI
              value: $(MONGO_CS)$(REGION)

It would be nice to have a few line about this issue in the Known Issues

Rainelz avatar Sep 27 '23 08:09 Rainelz