Deployments with volumes do not have the option to select a key

[firemanxbr]

What would you like to be added?

Problem statement:
Currently, we don't have a way to define a key into a Secret to be used by volumes.

volumes:
    - name: NameOfVolume
      secret:
        secretName: NameOfSecret

Using this approach we should create a separate Secret to be used in a volume. If we add in a Secret with more keys resource will consume all keys.

Why is this needed?

As used in Deployments out of volumes we already have a proper solution:

env:
- name: ENVIRONMENT_VARIABLE
  valueFrom:
    secretKeyRef: 
      name: SecretName
      key: KEY_TO_BE_USED

In that case, will be nice to extend volume API to have:

volumes:
    - name: NameOfVolume
      secret:
        secretName: NameOfSecret
        secretKey: KEY_TO_BE_USED

[k8s-ci-robot]

There are no sig labels on this issue. Please add an appropriate label by using one of the following commands:

• /sig <group-name>
• /wg <group-name>
• /committee <group-name>

Please see the group list for a listing of the SIGs, working groups, and committees available.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[pacoxu]

Why not use subpath?

I created a secret with a key config and mount the secret to the subpath of /root with a path name that can be specified. Does this meet your requirement?

 kubectl create secret generic mysecret --from-file=.kube/config
[root@paco-centos-9 ~]# cat test.yaml
apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mypod
    image: m.daocloud.io/docker.io/library/redis
    volumeMounts:
    - name: foo-config
      mountPath: "/root/"
  volumes:
  - name: foo-config
    secret:
      secretName: mysecret
      items:
      - key: config
        path: config.yaml
[root@paco-centos-9 ~]# kubectl create -f test.yaml
pod/mypod created
[root@paco-centos-9 ~]# kubectl get pod mypod
NAME    READY   STATUS    RESTARTS   AGE
mypod   1/1     Running   0          12s
[root@paco-centos-9 ~]# kubectl exec -it mypod -- ls /root/
config.yaml

[liggitt]

projected volumes let you select specific keys of a secret and assign them to specific filepaths

See https://kubernetes.io/docs/concepts/storage/projected-volumes/

...
  volumes:
  - name: my-volume
    projected:
      sources:
      - secret:
          name: my-secret
          items:
            - key: username
              path: my-group/my-username

[firemanxbr]

Thank you for guiding me @pacoxu @liggitt!