Support more secret volume fields in secure settings (#1665)

Support entries, key and path fields for the secure
settings secret similar to secret volume mounts to
give a way to inject a subset of secrets and/or
define a specific name to secure settings.

New syntax supported:
```
spec:
  secureSettings:
  - secretName: your-secure-settings-secret
    entries:
    - key: username
      path: my-login
  - secretName: your-second-secure-settings-secret
```

config/crds/apm_v1alpha1_apmserver.yaml

@@ -162,12 +162,38 @@ spec:
               description: SecureSettings references secrets containing secure settings,
                 to be injected into the APM keystore on each node. Each individual
                 key/value entry in the referenced secrets is considered as an individual
-                secure setting to be injected. The secret must exist in the same namespace
-                as the APM resource.
+                secure setting to be injected. You can use the `entries` and `key`
+                fields to consider only a subset of the secret entries and the `path`
+                field to change the target path of a secret entry key. The secret
+                must exist in the same namespace as the APM resource.
               items:
                 properties:
+                  entries:
+                    description: If unspecified, each key-value pair in the Data field
+                      of the referenced Secret will be projected into the volume as
+                      a file whose name is the key and content is the value. If specified,
+                      the listed keys will be projected into the specified paths,
+                      and unlisted keys will not be present.
+                    items:
+                      properties:
+                        key:
+                          description: The key to project.
+                          type: string
+                        path:
+                          description: The relative path of the file to map the key
+                            to. May not be an absolute path. May not contain the path
+                            element '..'. May not start with the string '..'.
+                          type: string
+                      required:
+                      - key
+                      type: object
+                    type: array
                   secretName:
+                    description: 'Name of the secret in the pod''s namespace to use.
+                      More info: https://kubernetes.io/docs/concepts/storage/volumes#secret'
                     type: string
+                required:
+                - secretName
                 type: object
               type: array
             version:

config/crds/elasticsearch_v1alpha1_elasticsearch.yaml

@@ -166,12 +166,38 @@ spec:
               description: SecureSettings references secrets containing secure settings,
                 to be injected into Elasticsearch keystore on each node. Each individual
                 key/value entry in the referenced secrets is considered as an individual
-                secure setting to be injected. The secret must exist in the same namespace
-                as the Elasticsearch resource.
+                secure setting to be injected. You can use the `entries` and `key`
+                fields to consider only a subset of the secret entries and the `path`
+                field to change the target path of a secret entry key. The secret
+                must exist in the same namespace as the Elasticsearch resource.
               items:
                 properties:
+                  entries:
+                    description: If unspecified, each key-value pair in the Data field
+                      of the referenced Secret will be projected into the volume as
+                      a file whose name is the key and content is the value. If specified,
+                      the listed keys will be projected into the specified paths,
+                      and unlisted keys will not be present.
+                    items:
+                      properties:
+                        key:
+                          description: The key to project.
+                          type: string
+                        path:
+                          description: The relative path of the file to map the key
+                            to. May not be an absolute path. May not contain the path
+                            element '..'. May not start with the string '..'.
+                          type: string
+                      required:
+                      - key
+                      type: object
+                    type: array
                   secretName:
+                    description: 'Name of the secret in the pod''s namespace to use.
+                      More info: https://kubernetes.io/docs/concepts/storage/volumes#secret'
                     type: string
+                required:
+                - secretName
                 type: object
               type: array
             setVmMaxMapCount:

config/crds/kibana_v1alpha1_kibana.yaml

@@ -159,12 +159,38 @@ spec:
               description: SecureSettings references secrets containing secure settings,
                 to be injected into Kibana keystore on each node. Each individual
                 key/value entry in the referenced secrets is considered as an individual
-                secure setting to be injected. The secret must exist in the same namespace
-                as the Kibana resource.
+                secure setting to be injected. You can use the `entries` and `key`
+                fields to consider only a subset of the secret entries and the `path`
+                field to change the target path of a secret entry key. The secret
+                must exist in the same namespace as the Kibana resource.
               items:
                 properties:
+                  entries:
+                    description: If unspecified, each key-value pair in the Data field
+                      of the referenced Secret will be projected into the volume as
+                      a file whose name is the key and content is the value. If specified,
+                      the listed keys will be projected into the specified paths,
+                      and unlisted keys will not be present.
+                    items:
+                      properties:
+                        key:
+                          description: The key to project.
+                          type: string
+                        path:
+                          description: The relative path of the file to map the key
+                            to. May not be an absolute path. May not contain the path
+                            element '..'. May not start with the string '..'.
+                          type: string
+                      required:
+                      - key
+                      type: object
+                    type: array
                   secretName:
+                    description: 'Name of the secret in the pod''s namespace to use.
+                      More info: https://kubernetes.io/docs/concepts/storage/volumes#secret'
                     type: string
+                required:
+                - secretName
                 type: object
               type: array
             version:

config/samples/apm/apmserver.yaml

@@ -8,3 +8,15 @@ spec:
   config:
     output.console:
       pretty: true
+# http:
+#   service:
+#     spec:
+#       type: LoadBalancer
+#  # inject secure settings into APM Server keystore from k8s secrets references
+#   secureSettings:
+#   - secretName: ref-to-secret
+#   - secretName: another-ref-to-secret
+#     # expose only a subset of the secret keys (optional)
+#     entries:
+#     - key: value1
+#       path: newkey # project a key to a specific path (optional)

config/samples/elasticsearch/elasticsearch.yaml

@@ -31,32 +31,37 @@ spec:
           - name: ES_JAVA_OPTS
             value: "-Xms2g -Xmx2g"
     nodeCount: 3
-#    # request 2Gi of persistent data storage for pods in this topology element
-#    volumeClaimTemplates:
-#    - metadata:
-#        name: elasticsearch-data
-#      spec:
-#        accessModes:
-#        - ReadWriteOnce
-#        resources:
-#          requests:
-#            storage: 2Gi
-#        storageClassName: standard
-#  # inject secure settings into Elasticsearch nodes from a k8s secret reference
-#   secureSettings:
-#     secretName: "ref-to-secret"
-#   http:
-#     service:
-#       spec:
-#         # expose this cluster Service with a LoadBalancer
-#         type: LoadBalancer
-#     tls:
-#       selfSignedCertificate:
-#         # add a list of SANs into the self-signed HTTP certificate
-#         subjectAltNames:
-#         - ip: 192.168.1.2
-#         - ip: 192.168.1.3
-#         - dns: elasticsearch-sample.example.com
-#       certificate:
-#         # provide your own certificate
-#         secretName: my-cert
+  #   # request 2Gi of persistent data storage for pods in this topology element
+  #   volumeClaimTemplates:
+  #   - metadata:
+  #       name: elasticsearch-data
+  #     spec:
+  #       accessModes:
+  #       - ReadWriteOnce
+  #       resources:
+  #         requests:
+  #           storage: 2Gi
+  #       storageClassName: standard
+  # # inject secure settings into Elasticsearch nodes from k8s secrets references
+  # secureSettings:
+  # - secretName: ref-to-secret
+  # - secretName: another-ref-to-secret
+  #   # expose only a subset of the secret keys (optional)
+  #   entries:
+  #   - key: value1
+  #     path: newkey # project a key to a specific path (optional)
+  # http:
+  #   service:
+  #     spec:
+  #       # expose this cluster Service with a LoadBalancer
+  #       type: LoadBalancer
+  #   tls:
+  #     selfSignedCertificate:
+  #       # add a list of SANs into the self-signed HTTP certificate
+  #       subjectAltNames:
+  #       - ip: 192.168.1.2
+  #       - ip: 192.168.1.3
+  #       - dns: elasticsearch-sample.example.com
+  #     certificate:
+  #       # provide your own certificate
+  #       secretName: my-cert

config/samples/kibana/kibana.yaml

@@ -15,10 +15,15 @@ spec:
     certificateAuthorities:
       secretName: my-ca-cert # reference to a secret containing certificates under "tls.crt"
   nodeCount: 1
-# http:
-#   service:
-#     spec:
-#       type: LoadBalancer
-## Inject entries from the referenced secret into Kibana keystore
-#  secureSettings:
-#    secretName: kb-secure-settings
+#   http:
+#     service:
+#       spec:
+#         type: LoadBalancer # default is clusterIP
+#   # inject secure settings into Kibana keystore from k8s secrets references
+#   secureSettings:
+#   - secretName: ref-to-secret
+#   - secretName: another-ref-to-secret
+#     # expose only a subset of the secret keys (optional)
+#     entries:
+#     - key: value1
+#       path: newkey # project a key to a specific path (optional)

docs/apm.asciidoc

@@ -124,7 +124,7 @@ spec:
   version: 7.3.0
   nodeCount: 1
   secureSettings:
-    secretName: apm-secret-settings
+  - secretName: apm-secret-settings
   config:
     output:
       elasticsearch:
@@ -163,7 +163,7 @@ spec:
   version: 7.3.0
   nodeCount: 1
   secureSettings:
-    secretName: apm-secret-settings
+  - secretName: apm-secret-settings
   config:
     output:
       elasticsearch:

docs/elasticsearch-spec.asciidoc

@@ -197,7 +197,7 @@ spec:
   setVmMaxMapCount: false
 ----
 
-For more information, see the Elasticsearch documentation on 
+For more information, see the Elasticsearch documentation on
 link:https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html[Virtual memory].
 
 Optionally, you can select a different type of file system implementation for the storage. For possible options, see the
@@ -239,15 +239,29 @@ $ kubectl create secret tls my-cert --cert tls.crt --key tls.key
 [id="{p}-es-secure-settings"]
 === Secure settings
 
-You can specify link:https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-settings.html[secure settings] with a Kubernetes secret.
-The secret should contain a key-value pair for each secure setting you want to add. Reference that secret in the Elasticsearch
+You can specify link:https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-settings.html[secure settings] with Kubernetes secrets.
+The secrets should contain a key-value pair for each secure setting you want to add. Reference that secrets in the Elasticsearch
 resource specification for ECK to automatically inject those settings into the keystore on each node before it starts Elasticsearch.
 
 [source,yaml]
 ----
 spec:
   secureSettings:
-    secretName: your-secure-settings-secret
+  - secretName: one-secure-settings-secret
+  - secretName: two-secure-settings-secret
+----
+
+You can export a subset of secret keys and also project keys to specific paths using the `entries`, `key` and `path` fields:
+
+[source,yaml]
+----
+spec:
+  secureSettings:
+  - secretName: your-secure-settings-secret
+    entries:
+    - key: key1
+    - key: key2
+      path: newkey2
 ----
 
 See link:k8s-snapshot.html[How to create automated snapshots] for an example use case.
@@ -284,7 +298,7 @@ spec:
             bin/elasticsearch-plugin install --batch repository-azure
 ----
 
-To install custom configuration files you can use volumes and volume mounts. 
+To install custom configuration files you can use volumes and volume mounts.
 
 The next example shows how to add a synonyms file for the
 link:https://www.elastic.co/guide/en/elasticsearch/reference/current/analysis-synonym-tokenfilter.html[synonym token filter] in Elasticsearch.

docs/snapshots.asciidoc

@@ -106,7 +106,7 @@ spec:
     # ...
     # Inject secure settings into Elasticsearch nodes from a k8s secret reference
     secureSettings:
-      secretName: "gcs-credentials"
+    - secretName: gcs-credentials
 ----
 
 . Apply the modifications:

pkg/apis/apm/v1alpha1/apmserver_types.go

@@ -50,8 +50,10 @@ type ApmServerSpec struct {
 	// into the APM keystore on each node.
 	// Each individual key/value entry in the referenced secrets is considered as an
 	// individual secure setting to be injected.
+	// You can use the `entries` and `key` fields to consider only a subset of the secret
+	// entries and the `path` field to change the target path of a secret entry key.
 	// The secret must exist in the same namespace as the APM resource.
-	SecureSettings []commonv1alpha1.SecretRef `json:"secureSettings,omitempty"`
+	SecureSettings []commonv1alpha1.SecretSource `json:"secureSettings,omitempty"`
 }
 
 // Elasticsearch contains configuration for the Elasticsearch output
@@ -151,7 +153,7 @@ func (as *ApmServer) ElasticsearchRef() commonv1alpha1.ObjectSelector {
 	return as.Spec.ElasticsearchRef
 }
 
-func (as *ApmServer) SecureSettings() []commonv1alpha1.SecretRef {
+func (as *ApmServer) SecureSettings() []commonv1alpha1.SecretSource {
 	return as.Spec.SecureSettings
 }
 

pkg/apis/common/v1alpha1/common.go

@@ -118,3 +118,29 @@ type PodDisruptionBudgetTemplate struct {
 	// +optional
 	Spec v1beta1.PodDisruptionBudgetSpec `json:"spec,omitempty"`
 }
+
+type SecretSource struct {
+	// Name of the secret in the pod's namespace to use.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+	SecretName string `json:"secretName"`
+	// If unspecified, each key-value pair in the Data field of the referenced
+	// Secret will be projected into the volume as a file whose name is the
+	// key and content is the value. If specified, the listed keys will be
+	// projected into the specified paths, and unlisted keys will not be
+	// present.
+	// +optional
+	Entries []KeyToPath `json:"entries,omitempty"`
+}
+
+// Maps a string key to a path within a volume.
+type KeyToPath struct {
+	// The key to project.
+	Key string `json:"key"`
+
+	// The relative path of the file to map the key to.
+	// May not be an absolute path.
+	// May not contain the path element '..'.
+	// May not start with the string '..'.
+	// +optional
+	Path string `json:"path,omitempty"`
+}