2

I have a generated kubernetes secret like this as it is shown e.g. in argocd:

apiVersion: v1
data:
  ES_GUEST_PASSWORD: ++++++++
  ES_GUEST_USERNAME: ++++++++
kind: Secret

I now want to use it as an input to a username and password setting for Kibana. I know how to do it with env variables inside a container section but how do I do it outside a container?

In my case it is e.g. the configuration of the Elasticsearch/Kibana ECK Operator configuration:

apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: kibana
spec:
  version: 8.11.1
  count: 2
  elasticsearchRef:
    name: elasticsearch
  config:
    xpack.security.authc.providers:
      anonymous.anonymous1:
        order: 0
        credentials:
          username: ES_GUEST_USERNAME
          password: ES_GUEST_PASSWORD
      basic.basic1:
        order: 1

In this case ES_GUEST_USERNAME and ES_GUEST_PASSWORD are just used as plain text and not replaced.

Oleksandr S.
  • 195
Fabian
  • 123
  • 2

2 Answers2

1

The short answer is "you can't", unless the the API schema supports something like the envFrom/valueFrom attributes available in a Pod spec.

The longer answer is that you can use a Mutating Admission Webhook to do pretty much anything you want, including injecting secrets into a resource at creation time. You could write your own, but there are existing implementations that can do this sort of thing like. For exapmle, Bank Vault uses this technique to inject secrets from a Hashicorp Vault instance. The patch operator is a general tool for performing these sorts of transformations.

larsks
  • 47,453
1

As described on Configure Kibana page, you can use environment variables to inject them into config:

Environment variables can be injected into configuration using ${MY_ENV_VAR} syntax. By default, configuration validation will fail if an environment variable used in the config file is not present when Kibana starts. This behavior can be changed by using a default value for the environment variable, using the ${MY_ENV_VAR:defaultValue} syntax.

Secret with username and password:

apiVersion: v1
kind: Secret
metadata:
  name: guest-user-credentials
stringData:
  ES_GUEST_USERNAME: +++++++++++
  ES_GUEST_PASSWORD: +++++++++++

Kibana resource:

apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: kibana
spec:
  version: 8.16.1
  count: 1
  elasticsearchRef:
    name: elasticsearch
  config:
    xpack.security.authc.providers:
      anonymous.anonymous1:
        order: 0
        credentials:
          username: ${ES_GUEST_USERNAME:default_username}
          password: ${ES_GUEST_PASSWORD:default_password}
      basic.basic1:
        order: 1
  podTemplate:
    metadata:
      containers:
      - name: kibana
        envFrom:
        - secretRef:
            name: guest-user-credentials

I'm using a similar configuration with a secret to create a user for Elasticsearch and use it in Kibana config, see Creating custom users -> File realm.

Oleksandr S.
  • 195