Using initContainers to update Pod Secrets?


#1

Hi everyone,

So, this question is a bit weird, but I wanted to know if what I’m attempting to do would make sense, as I found no reference on the docs, although it seems to work.

To put it simply, I’d like go load dynamic secrets using initContainers from another tool (in this case Vault, but this doesn’t really matter) and using them to patch existing secrets which would be loaded as environment variables inside my pod containers (the advantage being that all dynamic secret logic/integration would be inside my initContainer, not on my application, which only cares about environment variables).

The flow would be like this:

initContainer

  • get a new value for secret “mysecret” (from e.g. Vault)
  • patch kubernetes secret “mysecret” with the new value

container

  • loads patched kubernetes secret “mysecret” as environment variable MYSECRET:
      env:
        - name: MYSECRET
          valueFrom:
            secretKeyRef:
              name: mysecret
              key: mysecret

Now this of course depends on the container initialization lifecycle! For this to work, the initContainer must always run before the container evaluates MYSECRET from Kubernetes secret store.

I’ve ran a few tests with a sample app and it does seem to work, though I’ve found nothing on the docs about the aforementioned pod lifecycle, so I’m unsure if I can just blindly trust my tests, plus the behaviour might change in the feature.

I’ve seen guides about using initContainers to populate volumes, for example, but never to update another kubernetes resource.

Anyone tried this before or has any thoughts about this strategy?