KEYCLOAK-17233 Allow multiple secrets/volumes to be mounted in the same path

166 views
Skip to first unread message

Kevin Burns

unread,
Feb 24, 2021, 4:11:24 PM2/24/21
to Keycloak Dev
Once KEYCLOAK-16003 gets merged in it'll allow us to mount secrets, providing us the ability to use the vault integration. However, it currently only allows a single secret to be mounted to a mountPath. I had a solution working, but I'm not sure what the best way to name the cr variables. Right now I have it set to:

volumes:
        defaultMode: 0444
        items:
          - secret:
              name: single-secret
              mountPath: /single-secret
          - secret:
              name: multiple-secrets
              mountPath: /multiple-secrets
              secretNames:
                - secret1
                - secret2
          - configMap:
              name: single-configmap
              mountPath: /single-configmap
          - configMap:
              name: multiple-configmaps
              mountPath: /multiple-configmaps
              configMapNames:
                - configmap1
                - configmap2

Does this look ok or does anyone have a better suggestion for naming? I'll get a PR cut after KEYCLOAK-16003 is merged.

Thanks,

- Kevin

Sebastian Łaskawiec

unread,
Feb 25, 2021, 2:00:58 AM2/25/21
to Kevin Burns, Keycloak Dev
Thanks for the interest in this Kevin!

I think a much more flexible way, would be to introduce the support for Projected Volumes [1]. The support could be introduced in a very similar way to ConfigMaps and Secrets. After all, it's just yet another Volume type in K8s. With Projected Volumes you could do a mix of everything in a single entry.


--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/a9da7146-1776-40f6-9f32-1418a6d8bba1n%40googlegroups.com.


--
Sebastian Łaskawiec

Kevin Burns

unread,
Feb 25, 2021, 11:15:23 AM2/25/21
to Keycloak Dev
The volume mount piece for this uses projected volumes on the backend. Are you thinking of something like this?


volumes:
  defaultMode: 0444
  items:
    - name: multi
      path: /multi
      secrets:
       - secret1
       - secret2
      configmap:
       - cm1
       - cm2
    - name: single
      path :/single
      secrets:
        - secret1

Kevin Burns

unread,
Feb 25, 2021, 11:39:30 AM2/25/21
to Keycloak Dev
My previous example had a few typos in it. I updated the code so it can mount configmaps and secrets in the same volume. Right now the config looks like:     

    volumes:
        defaultMode: 0444
        items:
          - name: keytab
            mountPath: /keytabs
            secrets:
              - keytab
          - name: vault
            mountPath: /vault
            secrets:
              - ldap-vault
              - ldap-vault2
          - name: cm1
            mountPath: /cmtest
            configMaps:
              - testcm
              - testcm2
          - name: testcm2
            mountPath: /cmtest4
            configMaps:
              - testcm2
          - name: multi
            mountPath: /multi
            configMaps:
              - testcm
              - testcm2
            secrets:
              - ldap-vault
              - ldap-vault2

Sebastian Łaskawiec

unread,
Mar 15, 2021, 6:30:18 AM3/15/21
to Kevin Burns, Keycloak Dev
Ok, so I guess we can move the conversation to the PR: https://github.com/keycloak/keycloak-operator/pull/321

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/0a14914a-b1ad-4607-adb8-ee2c0077b009n%40googlegroups.com.


--
Sebastian Łaskawiec
Reply all
Reply to author
Forward
0 new messages