daytona icon indicating copy to clipboard operation
daytona copied to clipboard

Published 20 hours ago verified publisher icon cruise-automation

Cannot easily expose secrets as environment variables in other containers in a pod.

Open dplummer opened this issue 5 years ago • 1 comments

After using daytona in an initContainer with the secrets stored to a file, it isn't easy to expose those secrets as environment variables in subsequent containers. I propose to export secrets in a ".env" file, so containers can source that file before starting. Something like:

# in vault:
secret/application/foo/MY_VAR value=fizzbuzz
secret/application/foo/SOME_URL value=http://example.com

# kubernetes
initContainers:
  - name: daytona
    env:
    - name: SECRET_ENV_PATH
      value: /home/vault/secrets.env
    - name: VAULT_SECRETS_APP
      value: secret/application/foo
containers:
  - name: my-app
    command: ["/bin/bash", "-c"]
    args: |
    - source /home/vault/secrets.env
      ./my-app

# /home/vault/secrets.env
export MY_VAR=fizzbuzz
export SOME_URL=http://example.com

dplummer avatar Jul 09 '19 17:07 dplummer

One workaround we've seen is to put the contents of the env file in the value field in one secret. You can then drop that secret's value as a file as described by https://github.com/cruise-automation/daytona#secret-fetching

dustin-decker avatar Jul 09 '19 23:07 dustin-decker