kubernetes deployment mounts secret as a folder instead of a file
Secrets vs ConfigMaps
Secrets
let you store and manage sensitive information (e.g. passwords, private keys) and ConfigMaps
are used for non-sensitive configuration data.
As you can see in the Secrets and ConfigMaps documentation:
A Secret is an object that contains a small amount of sensitive data such as a password, a token, or a key.
A ConfigMap allows you to decouple environment-specific configuration from your container images, so that your applications are easily portable.
Mounting Secret as a file
It is possible to create Secret
and pass it as a file or multiple files to Pods
.
I've create simple example for you to illustrate how it works.Below you can see sample Secret
manifest file and Deployment
that uses this Secret:
NOTE: I used subPath
with Secrets
and it works as expected.
---apiVersion: v1kind: Secretmetadata: name: my-secretdata: secret.file1: | c2VjcmV0RmlsZTEK secret.file2: | c2VjcmV0RmlsZTIK---apiVersion: apps/v1kind: Deploymentmetadata:... spec: containers: - image: nginx name: nginx volumeMounts: - name: secrets-files mountPath: "/mnt/secret.file1" # "secret.file1" file will be created in "/mnt" directory subPath: secret.file1 - name: secrets-files mountPath: "/mnt/secret.file2" # "secret.file2" file will be created in "/mnt" directory subPath: secret.file2 volumes: - name: secrets-files secret: secretName: my-secret # name of the Secret
Note: Secret
should be created before Deployment
.
After creating Secret
and Deployment
, we can see how it works:
$ kubectl get secret,deploy,podNAME TYPE DATA AGEsecret/my-secret Opaque 2 76sNAME READY UP-TO-DATE AVAILABLE AGEdeployment.apps/nginx 1/1 1 1 76sNAME READY STATUS RESTARTS AGEpod/nginx-7c67965687-ph7b8 1/1 Running 0 76s$ kubectl exec nginx-7c67965687-ph7b8 -- ls /mntsecret.file1secret.file2$ kubectl exec nginx-7c67965687-ph7b8 -- cat /mnt/secret.file1secretFile1$ kubectl exec nginx-7c67965687-ph7b8 -- cat /mnt/secret.file2secretFile2
Projected Volume
I think a better way to achieve your goal is to use projected volume.
A projected volume maps several existing volume sources into the same directory.
In the Projected Volume documentation you can find detailed explanation but additionally I created an example that might help you understand how it works.Using projected volume I mounted secret.file1
, secret.file2
from Secret
and config.file1
from ConfigMap
as files into the Pod
.
---apiVersion: v1kind: Secretmetadata: name: my-secretdata: secret.file1: | c2VjcmV0RmlsZTEK secret.file2: | c2VjcmV0RmlsZTIK---apiVersion: v1kind: ConfigMapmetadata: name: my-configdata: config.file1: | configFile1 ---apiVersion: v1kind: Podmetadata: name: nginxspec: containers: - name: nginx image: nginx volumeMounts: - name: all-in-one mountPath: "/config-volume" readOnly: true volumes: - name: all-in-one projected: sources: - secret: name: my-secret items: - key: secret.file1 path: secret-dir1/secret.file1 - key: secret.file2 path: secret-dir2/secret.file2 - configMap: name: my-config items: - key: config.file1 path: config-dir1/config.file1
We can check how it works:
$ kubectl exec nginx -- ls /config-volumeconfig-dir1secret-dir1secret-dir2 $ kubectl exec nginx -- cat /config-volume/config-dir1/config.file1configFile1$ kubectl exec nginx -- cat /config-volume/secret-dir1/secret.file1secretFile1$ kubectl exec nginx -- cat /config-volume/secret-dir2/secret.file2secretFile2
If this response doesn't answer your question, please provide more details about your Secret
and what exactly you want to achieve.