TransWikia.com

In Openshift, how can I create a new build with an environment variable that's value is a secret using the CLI?

Stack Overflow Asked by KennyBartMan on November 29, 2021

I have the following command.

oc new-build gen-dev/genbuilder:latest~ssh://[email protected]:7999/gen/pfs-converter.git#DEV1 
  --source-secret='privatekey' 
  --name='testbuild' 
  --env=KEY=VALUE

I would like to set the environment variables to have some secret values because the build will fail without them and I need to do it before this command takes places because new build immediately builds a new container.

One Answer

Adding from the Pod Defintion

You can create environment variables by referencing the secret in the environment definition like this:

apiVersion: v1
kind: Pod
metadata:
  name: secret-example-pod
spec:
  containers:
    - name: secret-test-container
      image: busybox
      command: [ "/bin/sh", "-c", "export" ]
      env:
        - name: TEST_SECRET_USERNAME_ENV_VAR
          valueFrom:
            secretKeyRef:
              name: test-secret
              key: username
  restartPolicy: Never

Here's the documentation.


Adding a Secret From the Command Line

If you need to do everything from the command line, you can use JSONPath to get the values from the secret you want like this:

oc new-build gen-dev/genbuilder:latest~ssh://[email protected]:7999/gen/pfs-converter.git#DEV1 
  --source-secret='privatekey' 
  --name='testbuild' 
  -e PRIVATE_KEY=$(oc get secret <your secret> -o jsonpath='{<path to field>}')

Explanation

This will add PRIVATE_KEY to the environment of the container when it is built, and will be available to applications when it starts.

The $() around the OC command to get the secret will evaluate the command inside, then place its output there.

The -o flag tells the OC CLI how to provide the output, so if you only wanted the names of builds for example, you would run:

oc get builds -o name

Here are the output options supported.

Example

You'll need to provide the JSONPath to the field you want pulled from the secret. For example, to get the password field from this secret:

apiVersion: v1
kind: Secret
metadata:
  name: test-secret
  namespace: my-namespace
type: Opaque 
data: 
  username: dmFsdWUtMQ0K 
  password: dmFsdWUtMg0KDQo=
stringData: 
  hostname: myapp.mydomain.com 

You would run:

oc new-build gen-dev/genbuilder:latest~ssh://[email protected]:7999/gen/pfs-converter.git#DEV1 
  --source-secret='privatekey' 
  --name='testbuild' 
  -e PASSWORD=$(oc get secret test-secret -o jsonpath='{.data.password}')

This is the same as adding -e PASSWORD='dmFsdWUtMg0KDQo=' to your command, and applications in the container will be able to access that variable from the environment of the container.

Here's the documentation for using JSONPath, and an evaluator if you have trouble getting the path right.

Adding a Build Secret

You can also add a secret to the build environment without exposing it to the environment using the --build-secret flag.

Command:

oc new-build 
openshift/nodejs-010-centos7~https://github.com/sclorg/nodejs-ex.git 
--build-secret “secret-npmrc:/etc”

This adds the secret to a directory in the build environment, in this case the .npmrc file is added to /etc.

I don't think it's generally good practice to add secrets to the environment, and you may want to look into changing up your setup to avoid this. In the past, I've always added secrets to template definitions, but it looks like you're letting Openshift create the templates for you.

Answered by Ciaodown on November 29, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP