-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to override automount secret properties in devfile #17079
Comments
Since secrets may be applied to any container of any component in devfile, it seems to me that So, thats is the first draft proposal for discussion beginning (it supposes devfile owner knows the secret names, but i'm not sure it is always true).
|
Ok, so after having some internal discussion, we see the two different approaches, with different flexibility and usage complexity. Generally, it's per-component or per-devfile overrides. First one initially proposed by Sergii, with examples in issue description, it's per-component override. Second is proposed by me in comment above, it-s per devfile override, authomatically applying override all changes per all components, so it can be written just once. But of cource it less flexibility, not allowing to change something in just one component (but you can still override just one target component if you know it's name). As for me, mounting same secret into ALL containers is an quite unusual exceprional case. In most usecases, thre will be just one target container where the secret shoult be applied. So, IMO, having single definition is just enough if you want to change this container and/or modify mount path or ENV name. So with 2nd case you dont even need to care in which component this container is. So let's try to choose one that fit our needs better, to stay on right track. |
I was looking at the automounting of a SA account token that has some analogies with this use case and here are some considerations: Automounting To avoid that the SA token get automatically mounted on every containers k8s API provides the attribute For our use case we should have a similar attribute Overriding Secrets Paths To override SA token default mount path ( For our use case I would get inspiration from it (again) and have something similar: components:
- type: dockerimage
alias: maven
image: maven:3.11
volumes:
- name: <secret-name>
containerPath: /my/new/path Cross component Volume Definition I would wait devfile 2.0 for that as there is a proposal for something that would address that devfile/api#19 (comment). |
So, to make sure i understood it correctly about automounting: In secret, we will replace
|
@mshaposhnik yes. |
I think plural is better since several secrets can be present in namespace, wdyt ? |
Ok but each secret will have its annotation |
Yes, so maybe it should be |
Maybe we can try the following for the devfile component only: |
Not sure we should mix booleans with free-form strings. I would go with true/false only. And eventually adding a selector in the future if there are some use cases that require that. |
Ok, cool. So, to summarize:
|
@mshaposhnik nice! |
@l0rd Should we handle also the old format? or we can cover that with documentation? |
I would only cover that with documentation. I don't think there has been adoption yet. But we should probably make sure that we release the new format for CRW 2.2. |
Is your task related to a problem? Please describe.
Atref implementing #14680 users can have secrets mounted to theirs workspace contaibers as files on env variabes. At the same time, user may need some variabitilty, like changing environment var name or mount path without affecting the original secret in namespace. So that can de done by updating the devfile of the perticular workspace.
Describe the solution you'd like
Initial idea (copied from #14680, probably needs to be revised and refactored) :
To be able to explicitly override mountPath or envName of concrete Secret we need a pair secretName and key that we want to override + value. It can look like this in devfile
devfile.yaml
or
devfile.yaml
The text was updated successfully, but these errors were encountered: