kubernetes isn't overriding environment variables that were set in the Dockerfile

Question

My Dockerfile contains default environment variables for development and testing scenarios:

ENV mysql_host=mysql \
    mysql_user=app \
    mysql_password=password \

and my k8s yaml contains an env directive:

spec:
  containers:
    env:
      - name: "mysql_password"
        value: "someotherpassword"
        name: "mysql_host"
        value: "someotherhost"
        name: "mysql_user"
        value: "someotheruser"

but when I exec into my running container with

kubctl exec -it service -- /bin/bash

I'm still seeing "password" as mysql_password .

edit: added more from the k8s yaml for completeness.

Answer 1

you need to declare all the variables in the the correct yaml format so in this exmaple mysql_password will override the variable but mysql_password2 will not override and will only be inserted if its not declared already :

spec:
  containers:
    env:
      - name: mysql_password     
        value: "someotherpassword"
      - name: mysql_password2
        value: "password" 
      - name: override_password
        value: password3 

meaning if it started with a "-" it will override . otherwise it will insert the variable to the container

Answer 2

Hmm may I suggest a better approach to storing and retrieving secrets for your containers?

Kubernetes provides you with the concepts of Secrets when the data you are using is sensitive, and ConfigMaps when it is not.

You can specify in your pod definition that the container should pull the values from a secret like below (Kubernetes 1.6+)

apiVersion: v1
kind: Pod
metadata: 
  labels: 
    context: docker-k8s-lab
    name: mysql-pod
  name: mysql-pod
spec: 
  containers:
  - image: "mysql:latest"
    name: mysql
    ports: 
    - containerPort: 3306
    envFrom:
      secretRef:
        name: mysql-secret

So now you can have 2 different secrets, one for prod and one for test

test-secret.yaml:

apiVersion: v1
kind: Secret
metadata:
  name: mysql-secret
type: Opaque
data:
  MYSQL_USER: <user>
  MYSQL_PASSWORD: <password>
  MYSQL_DATABASE: <database>
  MYSQL_ROOT_PASSWORD: <root_password>

prod-secret.yaml:

apiVersion: v1
kind: Secret
metadata:
  name: mysql-secret
type: Opaque
data:
  MYSQL_USER: <user>
  MYSQL_PASSWORD: <password>
  MYSQL_DATABASE: <database>
  MYSQL_ROOT_PASSWORD: <root_password>

Now you can deploy the secrets in to the respective clusters

kubectl config use-context test
kubectl create -f dev-secret.yaml

kubectl config use-context prod
kubectl create -f prod-secret.yaml

Now when your Pod starts it will populate the env from the values in the secret.