-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow mounting of existing secrets #53
Allow mounting of existing secrets #53
Conversation
Hello Marcel, I like the idea of the Please allow me a day or so to review the technical implementation. |
existingFileSecrets: | ||
- name: my-existing-secret | ||
path: /config/config.yaml | ||
subPath: config.yml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you explain subPath
's purpose?
path: /config/config.yaml
subPath: config.yml
This looks odd a bit for me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With subPaths you're able to not mount the entire directory but only a specific subPath, or file.
https://kubernetes.io/docs/concepts/storage/volumes/#using-subpath
Use case:
I've a config folder /config and a secret that contains a file called custom-config.yaml.
With subPath, I only want to mount custom-config.yaml in the /config path, but not overwrite anything else that might be already part of this folder.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This makes sense. The path in this case should be path: /config/
and not path: /config/config.yaml
? Or am i missing something?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No this is correct, path: /config/config.yaml
will be used if you want to mount a single file only.
The path
applies to the mount location within the container and the subPath
applies to the file that is defined in the configmap or secret.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right. The subpath concept was not clear for me.
I think I understand it now. Tanks for bearing with me.
β¨ Summary of this change
This PR implements the functionality to mount existing secets.
The fact why I actually need this is the not working sealedFileSecrets.
π§βπ» Details
Let's talk about the use-case in detail.
I have a very big config file encrypted via sealed secrets. In theory, I can mount
sealedFileSecrets
either from an input string or directly from a local file.sealedFileSecrets
, however can't read local files since the functionalitty is commented out. I tried a couple of hours to actually enable it, but whenever files are outside of the chart (which is always the case), helm can't read those.So the only option that is left, is passing the file content via string into m values.yaml. This is not so nice if you've a huge encrypted file since it will blow up your values.yaml
Therefore, I tend to define the sealedSecret separatly and mount it via th new
existingFileSecret
option.FYI
I know I've opened quite a bit of PR's and likely more is comming.
I understand that you might want to keep this chart rather simple. I would like to use this chart as long as I can without moving to my own fork.
Would be really nice, to make this chart more and more flexbile for edge cases.