How to add k8s secret as environment variable for CouchbaseCluster server pod?

HI,

I have a secret where CoucbaseCluster username and password are stored. I am trying to expose them as environment variables to server pods. However, when I ssh into the pod I don’t see them as environment variables.

How do I bring secret values as environment variables for CouchbaseCluster pod?

Please see one of my CouchbaseCluster server nodes definition:

servers:

  • name: analytics-us-west1
    pod:
    annotations:
    ad.datadoghq.com/couchbase-server.instances: |
    [
    {
    “server”: “<<%%host%%:8091>>”,
    “user”:"%%env_COUCHBASE_USERNAME%%"
    “password”:"%%env_COUCHBASE_PASSWORD%%"
    }
    ]
    env:
    • name: COUCHBASE_USERNAME
      valueFrom:
      secretKeyRef:
      name: couchbase-cluster-auth
      key: username
    • name: COUCHBASE_PASSWORD
      valueFrom:
      secretKeyRef:
      name: couchbase-cluster-auth
      key: password
      resources:
      limits:
      cpu: 2000m
      memory: 8Gi
      requests:
      cpu: 1000m
      memory: 2Gi
      volumeMounts:
      analytics:
      • pvc-analytics
        default: pvc-general
        serverGroups:
    • us-west1-a
    • us-west1-b
    • us-west1-c
      services:
    • analytics
      size: 3

Regards.

What version of the Operator are you using? When did you add the configuration (before or after creating the cluster)?

Hi,

we are using (1.2.0 operator): couchbase/operator:1.2.0.

I added the configuration before creating the cluster.

And the Couchbase server is: couchbase/server:enterprise-6.0.2

Just to be clear, when I went into the pod (shell) - i don’t see the environment variable.

kubectl exec -it -n my-namespace my-pod – sh

env | grep COUCHBASE_USERNAME

Please do note that other pod spec items are working:
like annotations, resources (limits and requests) and volumemounts.
only the secrets are not coming as environment variables :frowning:

basically am trying to integrate Datadog with Couchbase (it works with annotations and hard coded username and passwords). And the way to send password (sensitive data/secret) is via environment variables.

So, trying to finish the integration - any help is greatly appreciated. thank you.

Please do let me know if you have any questions

Regards.

From the spec looks like there is only “envFrom” option, not “env” option. https://docs.couchbase.com/operator/1.2/couchbase-cluster-config.html

I will give it a try.

btw, can you please confirm if “env” option is not supported in 1.2 operator (6.0.2 cluster)? If not supported, where can I see the corresponding error? helm upgrade (we use helm 3 to install cluster and operator) - didn’t complain.

couchbaseEnv:
- name: ENV1
value: value
envFrom:
- secretRef:
name: environment-secret

hmm, envFrom option didn’t do that trick as well :frowning:

The V1 release of the Operator was… somewhat non-intuitive :smile:

env does exist, but as couchbaseEnv, for example:

servers:
  - size: 1
    name: all_services
    services:
      - data
      - index
      - query
    pod:
      couchbaseEnv:
      - name: EXPLICIT_VAR
        value: test
      - name: IMPLICIT_VAR
        valueFrom:
          secretKeyRef:
            name: cb-example-auth
            key: username

And results in…

$ kubectl exec -ti cb-example-0000 -- env | grep EXPLI
EXPLICIT_VAR=test
$ kubectl exec -ti cb-example-0000 -- env | grep IMPL
IMPLICIT_VAR=Administrator

I’ve righted the wrongs of the past in V2, upgrade if you can, it’s a much nicer experience! That said if you can’t follow my guidance above and it will work.

For completeness, envFrom works like this:

    envFrom:
    - prefix: TEST_
      secretRef:
        name: cb-example-auth

And results in:

$  kubectl exec -ti cb-example-0000 -- env | grep TEST
TEST_password=password
TEST_username=Administrator

thank you, Simon :slight_smile:

Both approaches worked. Appreciate details - it made it pretty clear to follow and fix my yaml file easily.

Probably documentation needs to be updated:

  1. For couchbaseEnv: having an example with secret (or, updating spec with secret) - first glance gave me impression that probably its not supported.
  2. Having the correct indentation in spec (spaces) as yaml is crazy about this!!

And yes, we are planning to migrate to 2.0 soon (in couple of months)

Regards.

You are right, the documentation could be better for these fields, I shall raise an issue and have it addressed as soon as possible! In general we avoid documenting Kubernetes types because they could change under us, but I can and will link to the official specifications where we reference native types in our custom resources.

Anyway, glad to have helped and good luck!

just in case if anyone stumbles across this post to complete Couchbase and Datadog integration:

The above approach does work to add environment variables for the Coucbase server pod.

But w.r.t Datadog integration - the Couchbase auth in datadog annotations (in Couchbase server pod) (like COUCHBASE_USERNAME, COUCHBASE_PASSWORD) these environment variables should be exposed in Datadog agent and annotated in Couchbase server pod.