Allow mounting of existing secrets #53
Conversation
|
Hello Marcel, I like the idea of the Please allow me a day or so to review the technical implementation. |
| existingFileSecrets: | ||
| - name: my-existing-secret | ||
| path: /config/config.yaml | ||
| subPath: config.yml |
There was a problem hiding this comment.
Can you explain subPath's purpose?
path: /config/config.yaml
subPath: config.yml
This looks odd a bit for me.
There was a problem hiding this comment.
With subPaths you're able to not mount the entire directory but only a specific subPath, or file.
https://kubernetes.io/docs/concepts/storage/volumes/#using-subpath
Use case:
I've a config folder /config and a secret that contains a file called custom-config.yaml.
With subPath, I only want to mount custom-config.yaml in the /config path, but not overwrite anything else that might be already part of this folder.
There was a problem hiding this comment.
This makes sense. The path in this case should be path: /config/ and not path: /config/config.yaml? Or am i missing something?
There was a problem hiding this comment.
No this is correct, path: /config/config.yaml will be used if you want to mount a single file only.
The path applies to the mount location within the container and the subPath applies to the file that is defined in the configmap or secret.
There was a problem hiding this comment.
Right. The subpath concept was not clear for me.
I think I understand it now. Tanks for bearing with me.
β¨ Summary of this change
This PR implements the functionality to mount existing secets.
The fact why I actually need this is the not working sealedFileSecrets.
π§βπ» Details
Let's talk about the use-case in detail.
I have a very big config file encrypted via sealed secrets. In theory, I can mount
sealedFileSecretseither from an input string or directly from a local file.sealedFileSecrets, however can't read local files since the functionalitty is commented out. I tried a couple of hours to actually enable it, but whenever files are outside of the chart (which is always the case), helm can't read those.So the only option that is left, is passing the file content via string into m values.yaml. This is not so nice if you've a huge encrypted file since it will blow up your values.yaml
Therefore, I tend to define the sealedSecret separatly and mount it via th new
existingFileSecretoption.FYI
I know I've opened quite a bit of PR's and likely more is comming.
I understand that you might want to keep this chart rather simple. I would like to use this chart as long as I can without moving to my own fork.
Would be really nice, to make this chart more and more flexbile for edge cases.