Fix for bokysan#83: Add the possibility to mount files from secret

README.md

@@ -490,6 +490,9 @@ Chart configuration is as follows:
 | `config.postfix` | `{}` | Key-value list of general postfix options, e.g. `myhostname: "demo"` |
 | `config.opendkim` | `{}` | Key-value list of general OpenDKIM options, e.g. `RequireSafeKeys: "yes"` |
 | `secret` | `{}` | Key-value list of environment variables to be shared with Postfix / OpenDKIM as secrets |
+| `mountSecret.enabled` | `false` | Create a folder with contents of the secret in the pod's container |
+| `mountSecret.path` | `/var/lib/secret` | Where to mount secret data |
+| `mountSecret.data` | `{}` | Key-value list of files to be mount into the container |
 | `persistence.enabled` | `true` | Persist Postfix's queue on disk |
 | `persistence.accessModes` | `[ 'ReadWriteOnce' ]` | Access mode |
 | `persistence.existingClaim` | `""` | Provide an existing `PersistentVolumeClaim`, the value is evaluated as a template. |

helm/mail/templates/secret-mount.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.mountSecret.enabled -}}
+{{- $chart := "mail" -}}
+{{- $fullName := include (print $chart ".fullname") . -}}
+{{- $labels := include (print $chart ".labels") . -}}
+{{- with .Values.mountSecret.data }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $fullName }}-mount
+  labels:
+    {{- $labels | nindent 4 }}
+data:
+  {{- range $key, $value := . }}
+  {{ $key }}: {{ $value | b64enc | quote }}
+  {{- end }}
+{{ end }}
+{{- end -}}

helm/mail/templates/statefulset.yaml

@@ -105,6 +105,11 @@ spec:
               readOnly: true
               subPath: _enable_tls.sh
             {{- end }}
+            {{- if .Values.mountSecret.enabled }}
+            - name: mount-secret
+              mountPath: {{ .Values.mountSecret.path }}
+              readOnly: true
+            {{- end }}
             {{- if .Values.extraVolumeMounts }}{{- toYaml .Values.extraVolumeMounts | nindent 12 }}{{ end }}
           resources: {{ toYaml .Values.resources | nindent 12 }}
         {{- if .Values.extraContainers }}
@@ -135,6 +140,11 @@ spec:
         - name: {{ $fullName }}
           emptyDir: {}
         {{- end }}
+        {{- if .Values.mountSecret.enabled }}
+        - name: mount-secret
+          secret:
+            secretName: {{ $fullName }}-mount
+        {{- end }}
         {{- if .Values.extraVolumes }}{{- toYaml .Values.extraVolumes | nindent 8 }}{{ end }}
   {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
   volumeClaimTemplates:
@@ -145,7 +155,7 @@ spec:
         accessModes: {{- toYaml .Values.persistence.accessModes | nindent 10 }}
         {{- if (eq "-" .Values.persistence.storageClass) }}
         storageClassName: ""
-        {{- end }}{{- if .Values.persistence.storageClass }}
+        {{- else if .Values.persistence.storageClass }}
         storageClassName: "{{ .Values.persistence.storageClass }}"
         {{- end }}
         resources:

helm/mail/values.yaml

@@ -90,6 +90,18 @@ certs:
 #   hello: world
 secret: {}
 
+# Define a secret which should be deployed together with the
+# chart amd mounted into a specific directory in the pod.
+mountSecret:
+  enabled: false
+  path: /var/lib/secret
+  data: {}
+    # e.g.
+    # dkim-private: |
+    #   -----BEGIN RSA PRIVATE KEY-----
+    #   < redacted >
+    #   -----END RSA PRIVATE KEY-----
+
 config:
   general: {}
     # e.g.

helm/test_10_mount_secret.yml

@@ -0,0 +1,8 @@
+mountSecret:
+  enabled: true
+  path: /test
+  data:
+    dkim-private: |
+      -----BEGIN RSA PRIVATE KEY-----
+      < redacted >
+      -----END RSA PRIVATE KEY-----