In Openshift, how can I create a new build with an environment variable that's value is a secret using the CLI? In Openshift, how can I create a new build with an environment variable that's value is a secret using the CLI? kubernetes kubernetes

In Openshift, how can I create a new build with an environment variable that's value is a secret using the CLI?


Adding from the Pod Defintion

You can create environment variables by referencing the secret in the environment definition like this:

apiVersion: v1kind: Podmetadata:  name: secret-example-podspec:  containers:    - name: secret-test-container      image: busybox      command: [ "/bin/sh", "-c", "export" ]      env:        - name: TEST_SECRET_USERNAME_ENV_VAR          valueFrom:            secretKeyRef:              name: test-secret              key: username  restartPolicy: Never

Here's the documentation.


Adding a Secret From the Command Line

If you need to do everything from the command line, you can use JSONPath to get the values from the secret you want like this:

oc new-build gen-dev/genbuilder:latest~ssh://git@mycompany.net:7999/gen/pfs-converter.git#DEV1 \  --source-secret='privatekey' \  --name='testbuild' \  -e PRIVATE_KEY=$(oc get secret <your secret> -o jsonpath='{<path to field>}')

Explanation

This will add PRIVATE_KEY to the environment of the container when it is built, and will be available to applications when it starts.

The $() around the OC command to get the secret will evaluate the command inside, then place its output there.

The -o flag tells the OC CLI how to provide the output, so if you only wanted the names of builds for example, you would run:

oc get builds -o name

Here are the output options supported.

Example

You'll need to provide the JSONPath to the field you want pulled from the secret. For example, to get the password field from this secret:

apiVersion: v1kind: Secretmetadata:  name: test-secret  namespace: my-namespacetype: Opaque data:   username: dmFsdWUtMQ0K   password: dmFsdWUtMg0KDQo=stringData:   hostname: myapp.mydomain.com 

You would run:

oc new-build gen-dev/genbuilder:latest~ssh://git@mycompany.net:7999/gen/pfs-converter.git#DEV1 \  --source-secret='privatekey' \  --name='testbuild' \  -e PASSWORD=$(oc get secret test-secret -o jsonpath='{.data.password}')

This is the same as adding -e PASSWORD='dmFsdWUtMg0KDQo=' to your command, and applications in the container will be able to access that variable from the environment of the container.

Here's the documentation for using JSONPath, and an evaluator if you have trouble getting the path right.

Adding a Build Secret

You can also add a secret to the build environment without exposing it to the environment using the --build-secret flag.

Command:

oc new-build \openshift/nodejs-010-centos7~https://github.com/sclorg/nodejs-ex.git \--build-secret “secret-npmrc:/etc”

This adds the secret to a directory in the build environment, in this case the .npmrc file is added to /etc.

I don't think it's generally good practice to add secrets to the environment, and you may want to look into changing up your setup to avoid this. In the past, I've always added secrets to template definitions, but it looks like you're letting Openshift create the templates for you.