-
Notifications
You must be signed in to change notification settings - Fork 168
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add file annotation #158
Add file annotation #158
Conversation
as per issue #88 before this fix the secret filename was limited to 21 chars and could not contain a directory separator /. This fix introduces two new annotations to use together vault.hashicorp.com/agent-inject-location to specify the vault secret location vault.hashicorp.com/agent-inject-filename to specify the filename to realize It has the advantage of allowing long filenames, include directory separators and if the location is absolute, it will create the file there, effectively giving the option to save outside of /vault/secrets/
Instead of both a location and filename annotation directive that deprecates the secret annotation, only add a file directive that allows specifying an optional file path and name for the rendered secrets.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good so far, I left some minor suggestions. I don't quite get the significance of the mentioned absolute pathing (e.g. /some/file
vs some/file
), they appear to me to produce the same results. Can you help me understand the difference/functionality?
Refactored how a secret is assembled. Simplified the filePathAndName logic. Tried to make some test descriptions more clear.
Yeah, going through this again I think calling out absolute pathing is unnecessary, since both styles just end up inside the secrets volume, i.e. you can't specify an absolute path to write something outside in an arbitrary location within the container. Tried to simplify some of that language in the PR description and code comments in b96d6b4. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks! 👍
Will this be released soon? We also have a use-cases for specifying the filename of a secret: We have multiple secrets with same expected file names, each written to its own, different mounted volume path |
@andrejvanderzee Most likely Monday, August 24th! |
Adds new annotation `vault.hashicorp.com/agent-inject-file`. This sets the filename and path in the secrets volume where a vault secret will be written. The container mount path for the secrets volume may be modified with the `secret-volume-path` annotation. This allows for filenames that aren't limited in length as k8s annotation keys, and for arbitrary directory structures in the secrets volume. Co-authored-by: Samuel Beaulieu <samuel@puppetlabs.com>
(Continues #89, fixes #88)
Adds new annotation
vault.hashicorp.com/agent-inject-file
. This sets the filename and path in the secrets volume where a vault secret will be written. The container mount path for the secrets volume may be modified with thesecret-volume-path
annotation.This allows for filenames that aren't limited in length as k8s annotation keys, and for arbitrary directory structures in the secrets volume.