livenessProbe with secret not working in kubernetes

Question

I am trying to pass livenessProbe in my kubernetes deployment yaml file to perform the health of my application. so, I created a secret with token value and passing as below

      livenessProbe:
        httpGet:
          path: test/actuator/health
          port: 9001
          httpHeaders:
          - name: Authorization
            valueFrom:
              secretKeyRef:
                name: actuator-token
                value: token

but I am getting the below error

error: error validating "deployment.yaml": error validating data: [ValidationError(Deployment.spec.template.spec.containers[0].livenessProbe.httpGet.httpHeaders[0]): unknown field "valueFrom" in io.k8s.api.core.v1.HTTPHeader, ValidationError(Deployment.spec.template.spec.containers[0].livenessProbe.httpGet.httpHeaders[0]): missing required field "value" in io.k8s.api.core.v1.HTTPHeader, ValidationError(Deployment.spec.template.spec.containers[0].readinessProbe.httpGet.httpHeaders): invalid type for io.k8s.api.core.v1.HTTPGetAction.httpHeaders: got "map", expected "array"]; if you choose to ignore these errors, turn validation off with --validate=false

Kindly suggest and appreciate for the help.

Also let us know is their any better way of handling tokens as I don't want to provide token value directly on my deployment yaml file.

Answer 1

httpHeaders only supports value and name field does not handle valueFrom

$ kubectl explain pod.spec.containers.livenessProbe.httpGet.httpHeaders

KIND:     Pod
VERSION:  v1

RESOURCE: httpHeaders <[]Object>

DESCRIPTION:
     Custom headers to set in the request. HTTP allows repeated headers.

     HTTPHeader describes a custom header to be used in HTTP probes

FIELDS:
   name <string> -required-
     The header field name

   value        <string> -required-
     The header field value

You could try using env variable like.

spec:
  containers:
  - name: mycontainer
    image: myimage
    env:
      - name: MY_SECRET
        valueFrom:
          secretKeyRef:
            name: actuator-token
            key: token
    livenessProbe:
        httpGet:
          path: test/actuator/health
          port: 9001
          httpHeaders:
          - name: Authorization
            value: $SECRET

Answer 2

Not sure that @DT answer gonna work, there no documentation for that feature.

Also I made some tests and the example below not working for me:

spec:
  containers:
  - name: mycontainer
    image: myimage
    env:
      - name: TOKEN
        value: '12345'
    livenessProbe:
      httpGet:
        path: /v1/health
        port: 80
        httpHeaders:
        - name: Authorization
          value: Apikey $TOKEN

I'm getting 401 for my application because it can't substitute env variable for header value. I even tried many other options with single/double quotes, with brackets, none of them working.

Otherwise, you can use exec instead of httpGet, but it requires to have curl installed in your docker image.

spec:
  containers:
  - name: mycontainer
    image: myimage
    env:
      - name: TOKEN
        value: '12345'
    livenessProbe:
      exec:
        command:
        - bash
        - -c
        - 'curl --fail http://localhost/v1/health --header "Authorization: Apikey $TOKEN"'
    initialDelaySeconds: 30
    periodSeconds: 15

If you want to use valueFrom from your secret you don't need to decode variable inside a container. I will be already decoded.

In case you can't add curl package to your image, better to consider writing custom script based on language your application developed. Here is example for js: https://blog.sixeyed.com/docker-healthchecks-why-not-to-use-curl-or-iwr/

Also, check this question, there a similar answer How to use basic authentication in a HTTP liveness probe in Kubernetes?