Simplify Spring Boot Access to Kubernetes Secrets Using Environment Variables

This blog post is a follow-up to a previous blog post titled “Simplify Spring Boot Access to Secrets Using Spring Cloud Kubernetes“. Despite the downsides I mentioned, I already hinted at a more straightforward solution that utilizes environment variables. The plan is to get everything into the Pod with as little configuration effort as possible.

So, I promised a twist, and here it is, thanks to one of my colleagues who pushed me in this direction. Kubernetes gives you yet another tool to handle Secrets in environment variables. This time, it is more convenient since you only point it to the complete Secret, not just a single value. Kubernetes will then make all key-value pairs available as individual environment variables.

apiVersion: apps/v1
kind: Deployment
  name: the-gunslinger
  replicas: all
          - name: the-gunslinger
              - ...
              - secretRef:
                name: the-gunslinger-secret
                optional: false

As you can see, envFrom coexists alongside your other env definitions. What does it look like in the Pod?

application_user@the-gunslinger-56d4d44b4c-b64gw:/opt/application$ env | grep aad
application_user@the-gunslinger-56d4d44b4c-nw975:/opt/application$ env | grep spring

Success? No. But why? Reasons, I guess. There is a way around this, though. Have you heard of Spring’s relaxed binding? That means we change the secret from “” to “UPPER_SNAKE_CASE”, and everything will work as expected. It is the same value only with a different coat of paint, like lipstick on a pig. No, wait! That’s what Windows 11 is to Windows 10.

apiVersion: v1
kind: Secret
  name: the-gunslinger-secret
  namespace: platform
type: Opaque
  AAD_PASSWORD: VGhlIG1hbiBpbiBibGFjayBmbGVkIGFjcm9zcyB0aGUgZGVzZXJ0LCBhbmQgdGhlIGd1bnNsaW5nZXIgZm9sbG93ZWQu

Now, the output in the Pod looks as expected, and Spring Boot will find and use the values automatically due to its relaxed binding.

application_user@the-gunslinger-56d4d44b4c-b64gw:/opt/application$ env | grep AAD
AAD_PASSWORD=The man in black fled across the desert, and the gunslinger followed.
application_user@the-gunslinger-56d4d44b4c-nw975:/opt/application$ env | grep SPRING
SPRING_DATASOURCE_PASSWORD=I do not aim with my hand; he who aims with his hand has forgotten the face of his father.

What do we gain compared to Spring Cloud Kubernetes Config? There is no additional dependency with its own compatibility issues or security vulnerabilities.

On the downside, your key-value pairs do not look like the data you refer to in your application, which is typically “”. You must be aware of Spring’s relaxed binding for it to make sense.


The minimalist solution for simplifying the use of Secrets in a Spring Boot application would be Option #2 with the twist. Although you must be more deliberate in naming the Secret key-value pairs, it is a huge plus that no additional dependencies are required. Unless you have a use for Spring Cloud Kubernetes’ other functionality, there is no reason to utilize it just for the Secrets.

Other than that, the initial effort to set it up is basically identical. It is even shorter since mounting a volume requires two settings to be made.

Thank you for reading. I hope this was helpful.

One thought on “Simplify Spring Boot Access to Kubernetes Secrets Using Environment Variables

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.