How to set up an environment variables on google kubernetes engine?

Question

I am using Firebase in my GoLang project hosted on Google Kubernetes Engine.

Steps I followed:

1. Enable firebase admin SDK on the firebase account. It generated a service account JSON for me. This also created a service account under my Google console service credentials.

2. Followed this answer and add a new secret key using kubectl create secret generic google-application-credentials --from-file=./sample-project.json

3. Made changes to my deployment.YAML file (added volume mounts, and environment variable in)

   spec:
     containers:
     - image: gcr.io/sample-ee458/city:0.27
     name: city-app
     volumeMounts:
     - name: google-application-credentials-volume
       mountPath: /etc/gcp
       readOnly: true 
   env:
   - name: GOOGLE_APPLICATION_CREDENTIALS
     value: /etc/gcp/application-credentials.json
   

4. setup volume in the same file

   volumes:
   - name: google-application-credentials-volume
   secret:
     secretName: google-application-credentials
     items:
     - key: application-credentials.json # default name created by the create secret from-file command
     path: application-credentials.json
   

5. Run kubectl apply -f deployment.yaml and deploy using docker push command.

It's throwing me error getting credentials using google_application_credentials environment variable gke. What am I missing here? Anny hint would be appreciable.

Answer 1

Finally, I figure out how to copy it and use the environment variable. Here is. the updated YAMLfile

apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: my-app
spec:
  template:
    spec:
      volumes:
      - name: google-cloud-keys
        secret:
          secretName: gac-keys
      containers:
      - name: my-app
        image: us.gcr.io/my-app
        volumeMounts:
        - name: google-cloud-keys
          mountPath: /var/secrets/google
          readOnly: true
        env:
        - name: GOOGLE_APPLICATION_CREDENTIALS
          value: /var/secrets/google/new-file-name.json

Answer 2

You can use a Secret in two different ways:

• Mount the Secret as a volume and access it as a file
• Map the Secret to environment variables and access it by reading the variable

You seem to have mixed them both. Decide if you want to access it as a file (recommended) or as an environment variable.

See examples of both in the documentation:

• Using Secrets as files from a Pod
• Using Secrets as environment variables

Example - accessing it as an environment variable

First, create the Secret, this can be done as you did:

kubectl create secret generic google-application-credentials --from-file=./application-credentials.json

I want to access it as an environment variable.

To expose the secret as an environment variable in the Pod or Deployment, write your Pod template as:

  containers:
  - name: city-app
    image: gcr.io/sample-ee458/city:0.27
    env:
      - name: GOOGLE_APPLICATION_CREDENTIALS
        valueFrom:
          secretKeyRef:
            name: google-application-credentials  # name of the Secret
            key: application-credentials.json

When accessing the Secret as an environment variable, you don't need to add it as a volume.