Injecting secrets into environment variables (Env mode)
This guide explains how to configure secret injection from Secrets Store into pod environment variables using Secrets Injector.
Getting started
- Make sure the Secrets Store component is installed and active in the cluster.
- Secrets Store contains secrets required by your application.
Create ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: myapp-sa
namespace: myapp-namespace
kubectl apply -f serviceaccount.yaml
Configure a role in Secrets Store
Configure a Secrets Store role with access to the required paths and bind it to the ServiceAccount you created.
Prepare the deployment
Add annotations to spec.template.metadata.annotations in the pod template:
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
namespace: myapp-namespace
spec:
replicas: 1
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
annotations:
secrets.stackland.yandex.cloud/render-env: "true"
secrets.stackland.yandex.cloud/role: "myapp"
spec:
serviceAccountName: myapp-sa
containers:
- name: app
image: myapp:latest
# In Env mode, specify _command_ or _args_ with the executable as the first element.
command:
- /app/myapp
args:
- --config=/config/app.yaml
resources:
requests:
cpu: "100m"
memory: "128Mi"
limits:
cpu: "500m"
memory: "256Mi"
env:
- name: DB_PASSWORD
value: "secrets:secret/data/myapp/database#password"
- name: API_KEY
value: "secrets:secret/data/myapp/api#key"
Key requirements:
- The
secrets.stackland.yandex.cloud/render-configmap: "true"annotation enables Env mode. - The
secrets.stackland.yandex.cloud/roleannotation defines the Secrets Store role. - In the container, you must specify either
commandorargs, where the first element ofargsis the executable. The injector uses these fields to start the application. If neither of these fields is set, the pod will fail with theno command is givenerror. - In the
envfield, use thesecrets:<path>#<key>format for secret references.
Apply the manifests
kubectl apply -f deployment.yaml
Check the result
Make sure the pod has started and the secrets have been injected:
# Checking the pod status
kubectl get pods -n myapp-namespace
# Checking main container logs (the injector runs as a process wrapper, not as an init-container).
kubectl logs <pod_name> -n myapp-namespace -c app
# Checking the environment variables inside the pod
kubectl exec -n myapp-namespace <pod_name> -- env | grep DB_
If the injection is successful, the output should begin with the following lines:
level=INFO msg="found secret references" count=2
level=INFO msg="successfully injected secrets" count=2
level=INFO msg="spawning process" binary=...
Using multiple containers
To inject secrets into specific containers within a multi-container pod, use the containers annotation:
annotations:
secrets.stackland.yandex.cloud/render-env: "true"
secrets.stackland.yandex.cloud/role: "myapp"
secrets.stackland.yandex.cloud/containers: "app,worker"
If the containers annotation is not set and there are multiple containers, the webhook will reject pod creation, causing the deployment to fail.
Diagnostics
If secret injection fails, see Secrets Store diagnostics.