devtron
devtron copied to clipboard
devtron-labs
Bug: Unable to Use `sub-path` option in External-Secret-Operator (ESO)
📜 Description
While deploying devtron-app, if we use External secret operator with enabled sub-path option. In that condition, the volume mount is not creating.
It works fine in case when subpath is disabled.
👟 Reproduction steps
- create a devtron-app
- do the basic configuration just like normal app
- go to secrets and add new secret
- select secret type as external secret
- select data volume options
- select the toggle button for sub-path
👍 Expected behavior
Volume mount should get created for each key as sub-path.
👎 Actual Behavior
for ideal behaviour can be see, when we enable sub-path in simple Kubernetes secret.
☸ Kubernetes version
any
Cloud provider
any
🌍 Browser
Chrome
🧱 Your Environment
No response
✅ Proposed Solution
the values.yaml for subpath enabled and external secret (ESO)
.....
"ConfigSecrets": {
"enabled": true,
"secrets": [
{
"esoSecretData": {
"esoData": [
{
"key": "kushagra-test",
"property": "test1",
"secretKey": "SECRET_KUSHAGRA"
}
],
"secretStore": {
"aws": {
"auth": {
"secretRef": {
"accessKeyIDSecretRef": {
"key": "access-key",
"name": "aws-auth"
},
"secretAccessKeySecretRef": {
"key": "secret-access-key",
"name": "aws-auth"
}
}
},
"region": "us-east-2",
"service": "SecretsManager"
}
}
},
"external": true,
"externalType": "ESO_AWSSecretsManager",
"filePermission": "",
"mountPath": "/dance",
"name": "aws-secret",
"roleARN": "arn:aws:secretsmanager:us-east-2:445808685819:secret:kushagra-test-Y9CHJm",
"subPath": true,
"type": "volume"
},
....
the values.yaml for subpath enabled and non external secret (ESO)
.....
"ConfigSecrets": {
"enabled": true,
"secrets": [
{
"data": {
"key123": "dmFsdWUxMjM="
},
"esoSecretData": {},
"external": false,
"externalType": "",
"filePermission": "",
"mountPath": "/dance",
"name": "test-123",
"roleARN": "",
"subPath": false,
"type": "volume"
},
....
The handling for volume mount is in reference chart > template >deployment.yaml
....
{{- if .Values.ConfigSecrets.enabled }}
{{- range .Values.ConfigSecrets.secrets }}
{{- if eq .type "volume"}}
{{- $cmName := .name -}}
{{- $cmMountPath := .mountPath -}}
{{- if eq .subPath false }}
- name: {{ $cmName | replace "." "-"}}-vol
mountPath: {{ $cmMountPath }}
{{- else }}
{{- range $k, $v := .data }}
- name: {{ $cmName | replace "." "-"}}-vol
mountPath: {{ $cmMountPath}}/{{ $k}}
subPath: {{ $k}}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
....
here we need handling for ESO and KES secrets
👀 Have you spent some time to check if this issue has been raised before?
- [X] I checked and didn't find any similar issue
🏢 Have you read the Code of Conduct?
- [X] I have read the Code of Conduct
AB#4788
Need to update our reference charts to support ESO volume mount.
{{if (or (eq .externalType "ESO_GoogleSecretsManager") (eq .externalType "ESO_AWSSecretsManager") (eq .externalType "ESO_HashiCorpVault") (eq .externalType "ESO_AzureSecretsManager"))}}
{{- range .esoSecretData.esoData }} # for eso secrets the mount path will be .esoSecretData.esoData[i].secretKey
- name: {{ $cmName | replace "." "-"}}-vol
mountPath: {{ $cmMountPath}}/{{ .secretKey }}
subPath: {{ .secretKey }}
{{- end }}
{{- else }}
{{- range $k, $v := .data }} # for others secrets the mount path will be .data[i].secretKey
- name: {{ $cmName | replace "." "-"}}-vol
mountPath: {{ $cmMountPath}}/{{ $k}}
subPath: {{ $k}}
{{- end }}
{{- end }}
