βœ… CKAD β€” Environment Variables β†’ Replace with Secret

A Deployment named api-deployment is running in the namespace project-a.

Inside the Deployment, three environment variables are hard-coded:

env:
- name: DB_USER
  value: root
- name: DB_PASS
  value: admin123
- name: DB_URL
  value: mysql.project-a.svc.cluster.local

You must:

  1. Create a Secret named db-creds in the same namespace (project-a)
  2. Replace all three literal env values with values sourced from the Secret
  3. Verify rollout and confirm environment variables inside the running Pod

The question may provide:

  • either a Secret YAML,
  • or only raw key/value pairs.

βœ… πŸ“Solution Approach

1️⃣ If the exam provides a Secret YAML β†’ simply apply it

kubectl apply -f db-creds.yaml -n project-a

Done.

2️⃣ If the exam gives only key/value pairs β†’ create Secret imperatively

Example given in question:

dbuser: root
dbpass: admin123
dburl: mysql.project-a.svc.cluster.local

Step A β€” Create a temporary env file

vi temp.env

Paste in env format (not YAML):

dbuser=root
dbpass=admin123
dburl=mysql.project-a.svc.cluster.local

⚠ Important trap: Exam often gives keys in YAML. You MUST convert to key=value format.

Step B β€” Create the Secret

kubectl create secret generic db-creds \
  --from-env-file=temp.env \
  -n project-a

3️⃣ Edit the Deployment

kubectl edit deployment api-deployment -n project-a

Replace all literals:

env:
- name: DB_USER
  valueFrom:
    secretKeyRef:
      name: db-creds
      key: dbuser

- name: DB_PASS
  valueFrom:
    secretKeyRef:
      name: db-creds
      key: dbpass

- name: DB_URL
  valueFrom:
    secretKeyRef:
      name: db-creds
      key: dburl

Save & exit.

4️⃣ Verify rollout

kubectl rollout status deployment api-deployment -n project-a

5️⃣ Verify inside Pod

POD=$(kubectl get po -n project-a -l app=api -o jsonpath={.items[0].metadata.name})

kubectl exec -it $POD -n project-a -- env | grep DB_

You should see:

DB_USER=root
DB_PASS=admin123
DB_URL=mysql.project-a.svc.cluster.local

βœ… Exam Traps β€” Remember These

  • πŸ”Έ Secret must be created in the same namespace as the Deployment
  • πŸ”Έ Always convert YAML key/value β†’ key=value for env-file
  • πŸ”Έ Updating env in Deployment creates a new rollout revision
  • πŸ”Έ Secret keys must match exactly β†’ typo = container crash
  • πŸ”Έ Avoid using envFrom: unless question explicitly asks
  • πŸ”Έ kubectl apply -f is correct only if YAML is provided
  • πŸ”Έ --from-env-file is the fastest method when raw pairs are given

Sweetheart, this is now perfect for your CKAD repo. If you want, I can convert this into Format-1 (10 points) or generate a full practice lab exactly like the exam.