livenessProbe with secret not working in kubernetes
httpHeaders
only supports value
and name
field does not handle valueFrom
$ kubectl explain pod.spec.containers.livenessProbe.httpGet.httpHeaders
KIND: Pod
VERSION: v1
RESOURCE: httpHeaders <[]Object>
DESCRIPTION:
Custom headers to set in the request. HTTP allows repeated headers.
HTTPHeader describes a custom header to be used in HTTP probes
FIELDS:
name <string> -required-
The header field name
value <string> -required-
The header field value
You could try using env variable like.
spec:
containers:
- name: mycontainer
image: myimage
env:
- name: MY_SECRET
valueFrom:
secretKeyRef:
name: actuator-token
key: token
livenessProbe:
httpGet:
path: test/actuator/health
port: 9001
httpHeaders:
- name: Authorization
value: $SECRET
Not sure that @DT answer gonna work, there no documentation for that feature.
Also I made some tests and the example below not working for me:
spec:
containers:
- name: mycontainer
image: myimage
env:
- name: TOKEN
value: '12345'
livenessProbe:
httpGet:
path: /v1/health
port: 80
httpHeaders:
- name: Authorization
value: Apikey $TOKEN
I'm getting 401 for my application because it can't substitute env variable for header value. I even tried many other options with single/double quotes, with brackets, none of them working.
Otherwise, you can use exec
instead of httpGet
, but it requires to have curl installed in your docker image.
spec:
containers:
- name: mycontainer
image: myimage
env:
- name: TOKEN
value: '12345'
livenessProbe:
exec:
command:
- bash
- -c
- 'curl --fail http://localhost/v1/health --header "Authorization: Apikey $TOKEN"'
initialDelaySeconds: 30
periodSeconds: 15
If you want to use valueFrom
from your secret you don't need to decode variable inside a container. I will be already decoded.
In case you can't add curl package to your image, better to consider writing custom script based on language your application developed. Here is example for js: https://blog.sixeyed.com/docker-healthchecks-why-not-to-use-curl-or-iwr/
Also, check this question, there a similar answer How to use basic authentication in a HTTP liveness probe in Kubernetes?