Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

extraSecrets are not mounted to pods #192

Open
ldaneliukas opened this issue Nov 20, 2023 · 3 comments
Open

extraSecrets are not mounted to pods #192

ldaneliukas opened this issue Nov 20, 2023 · 3 comments
Labels
bug Something isn't working

Comments

@ldaneliukas
Copy link
Collaborator

ldaneliukas commented Nov 20, 2023

Describe the Bug

#125 introduced extraSecrets and these are added as volumes to all pods. The issue is, there they are not actually mounted (i.e. no volumeMounts are created). So whilst the secret is added, it can't really be used for anything within the existing containers.

Expected Behavior

The value for extraSecrets should require not only a name but a mountPath too, which would create volume mounts on the specified path in all containers. Changing it to a hash with key being the secret name and value the path could work, for example:

puppetserver:
  extraSecrets:
    myBigSecret: "/etc/puppetlabs/secretPath"

Then:

volumes:
  {{- range $key, $value := .Values.puppetserver.extraSecrets }}
  - name: {{ $key }}-volume
    secret:
      secretName: {{ $key }}
  {{- end }}

volumeMounts:
  {{- range $key, $value := .Values.puppetserver.extraSecrets }}
  - name: {{ $key }}-volume
    readOnly: true
    mountPath: {{ $value }}
  {{- end }}

Steps to Reproduce

  1. Add extraSecrets in your values.
  2. Deploy.
  3. You can't access the secrets as they aren't mounted.

Additional Context

I can create a PR for this.

@ldaneliukas ldaneliukas added the bug Something isn't working label Nov 20, 2023
@ldaneliukas
Copy link
Collaborator Author

I just noticed that this is a duplicate of #166 , somehow I managed to miss it when searching existing issues.

@cpiment
Copy link
Contributor

cpiment commented Apr 1, 2024

Hi @ldaneliukas, I see this has not been yet fixed. Do you mind if I open a PR using your solution? I thought about changing extrasecrets to an array of objects like this:

puppetserver:
  extraSecrets:
    - name: myBigSecret
      path: "/etc/puppetlabs/secretPath"
    - name: myOtherSecret
      path: "/etc/puppetlabs/otherSecretPath"

But I like your solution more.

@ldaneliukas
Copy link
Collaborator Author

Hi @cpiment, I have completely blanked on this proposal. If you could open a PR for this, it'd be great! 🙇

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants