envsubst: Argument list too long

[imikiani]

When I run nginx based image of owasp/modsecurity-crs on top of kubernetes, I get error:

kubectl run mynginxtest --image=owasp/modsecurity-crs:4.8.0-nginx-202411071011

kubectl logs -f mynginxtest

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/01-check-low-port.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-generate-certificate.sh
/usr/local/bin/generate-certificate: generating new certificate
Warning: No -copy_extensions given; ignoring any extensions in the request
/usr/local/bin/generate-certificate: generated /etc/nginx/conf/server.key and /etc/nginx/conf/server.crt
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf differs from the packaged version
/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/modsecurity.d/modsecurity.conf.template to /etc/nginx/modsecurity.d/modsecurity.conf
/docker-entrypoint.d/20-envsubst-on-templates.sh: 53: envsubst: Argument list too long

[fzipi]

Oh, maybe k8s is passing way more env variables besides the ones for modsec.

[imikiani]

Hi @fzipi ,

Thank you so much for your quick and helpful response to my issue. I’m happy to share that the solution worked perfectly!

The problem was caused by Kubernetes injecting a large number of service environment variables into my pods, leading to the "Argument list too long" error when envsubst was invoked. Since I have many deployments and services, the environment variable list became overwhelming.

To resolve this, I added enableServiceLinks: false in my pod spec, which prevented Kubernetes from injecting these service-related environment variables. Here’s an example of how I applied the change:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-deployment
spec:
  replicas: 1
  template:
    spec:
      enableServiceLinks: false
      containers:
        - name: my-container
          image: owasp/modsecurity-crs:4.8.0-nginx-202411071011

[fzipi]

Awesome, thanks for confirming. This is probably worth documenting in the README.md. Are you up for a PR? 😄

[fzipi]

ping @imikiani

[imikiani]

Thank you so much for your kind words and for suggesting this! I truly appreciate the opportunity to contribute to this project—it’s an honor and a proud moment for me.

I apologize for the delay in replying to your message. I would love to create a PR to document this solution. Could you please provide some guidance on where exactly to add the documentation? Should I include it at the end of the README.md, or is there a specific section where it would fit best?

Looking forward to your advice so I can proceed correctly. Thank you again for your support and encouragement!
@fzipi

[fzipi]

I think it could fit at the very end of the README document, with a Kubernetes title. That would at least give others a simple way to find it 😄

Thanks!