search

cruise-automation / daytona

A Vault client, but for containers and servers.
Apache License 2.0
293 stars 33 forks source link

Cannot easily expose secrets as environment variables in other containers in a pod. #16

Open dplummer opened 5 years ago

dplummer commented 5 years ago

After using daytona in an initContainer with the secrets stored to a file, it isn't easy to expose those secrets as environment variables in subsequent containers. I propose to export secrets in a ".env" file, so containers can source that file before starting. Something like:

# in vault:
secret/application/foo/MY_VAR value=fizzbuzz
secret/application/foo/SOME_URL value=http://example.com

# kubernetes
initContainers:
  - name: daytona
    env:
    - name: SECRET_ENV_PATH
      value: /home/vault/secrets.env
    - name: VAULT_SECRETS_APP
      value: secret/application/foo
containers:
  - name: my-app
    command: ["/bin/bash", "-c"]
    args: |
    - source /home/vault/secrets.env
      ./my-app

# /home/vault/secrets.env
export MY_VAR=fizzbuzz
export SOME_URL=http://example.com
dustin-decker commented 5 years ago

One workaround we've seen is to put the contents of the env file in the value field in one secret. You can then drop that secret's value as a file as described by https://github.com/cruise-automation/daytona#secret-fetching