I’m using Helm to deploy Kong to a Kubernetes cluster. Due to my organisation’s security constraints, I’m not allowed to use Kubernetes Secrets to store sensitive values, such as pg_password
. Thus, I cannot do this in Helm values.yaml
:
env:
# ...
pg_password:
valueFrom:
secretKeyRef:
name: db-creds
key: db-password
What I’d like to do instead, is to have an initContainer
that would read sensitive values from an external storage, write them to kong.conf
and mount it to /etc/kong/kong.conf
for the main Kong container to use.
For proof-of-concept purposes, I’ve started off by creating a ConfigMap with kong.conf
:
pg_password = "password"
and mounting it to Kong container via Helm values:
deployment:
# ...
userDefinedVolumes:
- name: kong-conf
configMap:
name: kong-conf
userDefinedVolumeMounts:
- name: kong-conf
mountPath: /etc/kong/kong.conf
subPath: kong.conf
This does not have any effect for me though, as if kong.conf
was ignored when Kong is deployed via Helm (I’m getting “failed authentication” logs). I’ve exec
-ed into the container and verified the file is mounted correctly.
Is that actually the case? Is there any way to make kong.conf
work in conjunction with environment variables set in values.yaml
? Any ideas what I could be missing here?
P.S. I’m aware of the Secrets Management Beta feature, but it doesn’t support Google Secret Manager which I have to use (and it’s beta anyway).