docs: add guide for mounting ConfigMaps and Secrets into instances#140
Open
scotwells wants to merge 3 commits into
Open
docs: add guide for mounting ConfigMaps and Secrets into instances#140scotwells wants to merge 3 commits into
scotwells wants to merge 3 commits into
Conversation
Add docs/guides/mount-configmaps-and-secrets.md, a hands-on companion to the referenced-data delivery RFC. Covers mounting ConfigMaps/Secrets as read-only files (volumes), injecting keys as environment variables, rotation/restart, and diagnosing instances held by the ReferencedDataReady gate. Foregrounds the current runtime constraint: inline file mounts are only enabled on the base-compat:latest runtime with an erofs rootfs today; base:latest support is in progress. Cross-links the RFC and the Workload/ Instance API references, all of which are already on main. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Redraw the data-flow diagram so all box lines are uniform width and the file-listing columns align; drop ambiguous-width glyphs from inside the boxes. Convert the dependency note, runtime requirement, #139 reference, and env-capacity limitation to GitHub alert callouts (IMPORTANT/TIP/ WARNING). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Drop the pre-merge dependency framing (the #129 'not yet on main' note) and repoint example references from PR URLs to relative paths (examples/serverless-js-configmap, examples/config-secret-probe), as if the referenced-data delivery and example PRs are merged. Keep the upstream base/base-compat ROM-enablement limitation, which is a Unikraft runtime matter independent of these PRs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this delivers
A hands-on guide —
docs/guides/mount-configmaps-and-secrets.md— for delivering configuration files and secret material to a running instance without baking them into the image. It's the operator-facing companion to the ConfigMap/Secret mounts RFC: the RFC is the design, this is the how-to.What it covers
mountPathis a directory),namevssecretName, and per-containervolumeAttachments.configMapKeyRef/secretKeyRef, plus the kernel-cmdline capacity caveat that bites in busy cells.datumctl compute restartto roll instances onto the refreshed companion.ReferencedDataReadygate and a reason table (Resolving/AwaitingPropagation/SourceNotFound/SourceUnauthorized/SourceTooLarge/Ready).The constraint it foregrounds
The file-mount section leads with the runtime requirement: inline file mounts are only enabled on
base-compat:latestwith an erofs rootfs today. The defaultbase:latest(app-elfloader) does not yet support inline ROMs — the Unikraft kernel team is working on enabling them forbasetoo, but until then a ConfigMap/Secret volume simply will not appear inside abase:latestinstance. This is the single most common way to get an empty mount directory, so it's stated up front (as an[!IMPORTANT]callout) and repeated in troubleshooting.Written as shipped behavior
The guide is written assuming the referenced-data delivery (#129) and the example workloads (#139,
config-secret-probe) are merged: it documents current behavior in the present tense, cross-links the runnable examples by relative path, and carries no "not yet available" hedging. The only forward-looking note is the upstreambaseROM-enablement work, which is a Unikraft runtime matter independent of these PRs.Follows the house guide format
Same shape as the deploy guides (#130–#135): verification stamp, "what you need", numbered concept→steps→troubleshooting flow, inline copy-pasteable YAML, relative cross-links, and GitHub alert callouts. The data-flow diagram uses box-drawing borders with a pure-ASCII interior so its columns stay aligned regardless of font.
🤖 Generated with Claude Code