In Openshift, how can I create a new build with an environment variable that's value is a secret using the CLI?
Adding from the Pod Defintion
You can create environment variables by referencing the secret in the environment definition like this:
apiVersion: v1kind: Podmetadata: name: secret-example-podspec: containers: - name: secret-test-container image: busybox command: [ "/bin/sh", "-c", "export" ] env: - name: TEST_SECRET_USERNAME_ENV_VAR valueFrom: secretKeyRef: name: test-secret key: username restartPolicy: Never
Here's the documentation.
Adding a Secret From the Command Line
If you need to do everything from the command line, you can use JSONPath to get the values from the secret you want like this:
oc new-build gen-dev/genbuilder:latest~ssh://git@mycompany.net:7999/gen/pfs-converter.git#DEV1 \ --source-secret='privatekey' \ --name='testbuild' \ -e PRIVATE_KEY=$(oc get secret <your secret> -o jsonpath='{<path to field>}')
Explanation
This will add PRIVATE_KEY to the environment of the container when it is built, and will be available to applications when it starts.
The $() around the OC command to get the secret will evaluate the command inside, then place its output there.
The -o
flag tells the OC CLI how to provide the output, so if you only wanted the names of builds for example, you would run:
oc get builds -o name
Here are the output options supported.
Example
You'll need to provide the JSONPath to the field you want pulled from the secret. For example, to get the password field from this secret:
apiVersion: v1kind: Secretmetadata: name: test-secret namespace: my-namespacetype: Opaque data: username: dmFsdWUtMQ0K password: dmFsdWUtMg0KDQo=stringData: hostname: myapp.mydomain.com
You would run:
oc new-build gen-dev/genbuilder:latest~ssh://git@mycompany.net:7999/gen/pfs-converter.git#DEV1 \ --source-secret='privatekey' \ --name='testbuild' \ -e PASSWORD=$(oc get secret test-secret -o jsonpath='{.data.password}')
This is the same as adding -e PASSWORD='dmFsdWUtMg0KDQo='
to your command, and applications in the container will be able to access that variable from the environment of the container.
Here's the documentation for using JSONPath, and an evaluator if you have trouble getting the path right.
Adding a Build Secret
You can also add a secret to the build environment without exposing it to the environment using the --build-secret
flag.
Command:
oc new-build \openshift/nodejs-010-centos7~https://github.com/sclorg/nodejs-ex.git \--build-secret “secret-npmrc:/etc”
This adds the secret to a directory in the build environment, in this case the .npmrc file is added to /etc.
I don't think it's generally good practice to add secrets to the environment, and you may want to look into changing up your setup to avoid this. In the past, I've always added secrets to template definitions, but it looks like you're letting Openshift create the templates for you.