Multiple secrets on kubernetes

running 2+ secrets where one is foo-dev-secrets and the other is foo-universal-secrets

As a for-your-consideration, a well-constructed RBAC policy would ensure that only accounts with the correct permissions would be able to read secrets if they are decomposed, which would (of course) be much harder if they were all lumped into one "all-the-secrets" bucket

we know you can only have "one secret per volume", but in all honesty we aren't sure what that means.

Then you're in good company, because I don't know what that means, either :-D If you mean there are global secrets, but the dev secrets are named the same but more specific, I think docker -v will tolerate that:

containers:- name: foo  volumeMounts:  - name: global-secrets    mountPoint: /run/secrets/global    readOnly: true  - name: foo-secret-override    mountPoint: /run/secrets/global/no-really    readOnly: true

... with the disadvantage being that your volumes: and volumeMounts: will become quite chatty

That said, I would bet the more general, and less mind-bend-y solution is to mount them as peers and then do the application equivalent of find /run/secrets/ -not -type d to slurp them all up:

  volumeMounts:  - name: global-secrets    mountPoint: /run/secrets/0-global    readOnly: true  - name: foo-secrets    mountPoint: /run/secrets/1-foo    readOnly: true

Or, if possible, have the application read the path from an environment variable or ConfigMap-ed situation, meaning one could project them as peers (still) but point-out to the application which of the two values it should use.

Of course, the devil's in the details, so feel free to chime in if you are able to share more specifics about the hurdles you are encountering