Trying to following the use-case examples given in the official Kubernetes documentation for using secrets as environment variables (referenced here ), I made both my secret and my deployment yaml (which includes a pod spec) as follows:
Secret yaml:
apiVersion: v1
kind: Secret
metadata:
name: my-secret
type: Opaque
data:
LOCAL_UID: dsdgvreRBRBBsdd=
LOCAL_PWD: MmSDkfKDODbOU4NCg==
which is written to the namespace by doing:
kubectl apply -f my-secret.yaml
Likewise, here is the deployment Yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
labels:
app: my-app
spec:
replicas: 3
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
terminationGracePeriodSeconds: 30
containers:
- name: my-app
env:
- name: REPO_APP_URL
value: https://repo.myco.com/project.tar.gz
envFrom:
- secretRef:
name: my-secret
image: repo.myco.com/images/node-alpine:0.1.6
imagePullPolicy: Always
ports:
- containerPort: 8080
readinessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 15
periodSeconds: 15
securityContext:
runAsUser: 1000
imagePullSecrets:
- name: regcredepg
- note shown above (but is in the deployment yaml) are the Service and Ingress specs.
This is run by doing the following
kubectl apply -f my-app.yaml
This actually works great given:
the
imagePullSecrets
directive is included in the deployment YAML.that the
name
value given in theimagePullSecrets
section is not the actual secret used in theenvFrom: - secretRef:
section.
If I try to set the name of the imagePullSecrets
name field to my-secret
, the pod fails to load (saying Error from server (BadRequest): container "my-app" in pod "my-app-597bb6c9b4-lh8rg" is waiting to start: image can't be pulled
).
Also, it won't allow me to simply remove the imagePullSecrets
section of the YAML in the pod spec, even though the documentation claims it its optional.
So, the only way this will work is if I include the imagePullSecrets
reference to a valid secrets that I am not using in my envFrom: - secretRef:
section. I am sure I am missing some logical obvious issue here. Can anyone shed light on this??
CodePudding user response:
image pull secret has a different format than just the id and password. you need to specify the registry FQDN and the username and password. you can find more information here