Question on Lab Challenge 2 - Secrets: env vs envFrom

Subsandrew · January 12, 2024, 6:27pm

Hellos’s
In the Lab-challenge 2 found here - CKS – Challenges | KodeKloud, for the deployment prod-web, I expose my secrets using envFrom. The provided answers use env. However, I believe due to my using envFrom, my answer/check marks this task as incomplete.
Both I believe end with the same result and when I shell into the container and check the env variables, I see them all there whether I used env or envFrom. My question is, why is envFrom not recognized as valid?
Thanks,
Andrew.

Thanks,
Andrew.

rob_kodekloud · January 12, 2024, 7:34pm

It’s a choice that we make in using automatic graders. This can also happen on the exams as well. The env[].valueFrom version is one we do want you to know, since it makes explicit the names of the slots from the secret as well as the assignment to the name of the environment variable that mysql expects. But in general, you’re correct that you can use the envFrom version, and that it will work as well.

Subsandrew · January 12, 2024, 7:40pm

Thanks Rob for your response. Can you please expound further on how env.valueFrom differs from envFrom? When I used either method, and shelled into the container and checked the env variables, I did not see a difference in their presentation. But your response implies there is one. Please expound if you don’t mind.

Thanks much for your time/expertise!

rob_kodekloud · January 12, 2024, 8:08pm

envFrom typically takes all of the key/value slots from the secret or configmap and uses the key to set the environment variable. It’s easier to use but less flexible than using env[].valueFrom, where you can set a different environment variable name for each key, and also allows you to omit keys you don’t need to use or don’t want to expose to the pod.

Subsandrew · January 12, 2024, 11:53pm

I agree with this description. However, what I’m confused about and what the grading on the quiz implies is that using envFrom is incorrect when it is not. Unless the question specifically asked to use certain keys/values from a secret and not all, envFrom should be correct. Am I missing something or can you provide insight on why the question is graded as is?
Thanks!

rob_kodekloud · January 13, 2024, 1:06am

I don’t see any reason why the grader should prefer one solution over the other. I’ve asked our labs team the same question; don’t know what they’ll say.

Alistair_KodeKloud · January 13, 2024, 8:51am

When using envFrom you import all the keys from the secret into the environment.
When using valueFrom you are selecting specific keys to import.

With #1, that could be considered a security risk since the pod may import more secrets than it requires.