kubernetes secret items not mounted as file path

Question

I have the following yaml:

        volumeMounts:
        - name: app-secret
          mountPath: /app
          readOnly: true
      volumes:
      - name: app-secret
        secret:
          secretName: app-secret
          items:
          - key: app-secret.json
            path: appsettings.secret.json

I expect the secret is mounted on /app/appsettings.secret.json but it isn't. I don't know where it is mounted and the container crashes and I don't have a chance to kubectl exec into the container to inspect where the secret is mounted. My guess is that it wipes out the content of /app. Any advice and insight is appreciated.

the problem may be in your `containers[]` section. If not, then describe your pod using `$ kubectl describe` cmd. — Shudipta Sharma, Jul 19 '19 at 07:10
Does you app also run from /app folder? Because I think the secret-mount will replace any contents of /app from your container image. Maybe try mounting as /config or similar. — Hitobat, Jul 19 '19 at 08:27

score 11 · Accepted Answer · answered Jul 20 '19 at 13:09

11

This works:

 volumeMounts:
        - name: app-secret
          mountPath: /app/appsettings.secret.json
          subPath: appsettings.secret.json
          readOnly: true
      volumes:
      - name: app-secret
        secret:
          secretName: app-secret
          items:
          - key: app-secret.json
            path: appsettings.secret.json

answered Jul 20 '19 at 13:09

Kok How Teh

3,298
6
47
85

2

Does this support adding multiple files ? – Astronaut Dec 09 '19 at 18:22
If you created a singleton secret with `kubectl create secret genetic --from-file ./something.ext` then the `key` under `items` will be `something.ext`. This works great! – rileymcdowell Mar 04 '21 at 20:59

score 0 · Answer 2 · edited Jul 19 '19 at 08:04

0

Is it possible for you to share the full yaml to see if it has other issues and because of that it crashes for you?

I've tried this in my environment and it just works fine, please see the attached image.

tested on my env - see the following figure:

edited Jul 19 '19 at 08:04

Shudipta Sharma

5,178
3
19
33

answered Jul 19 '19 at 05:57

Salman Memon

31
3

Does it overwrite the content of /app folder? I guess this happens which causes my application to crash because /app is root of the application. – Kok How Teh Jul 19 '19 at 07:17

score -1 · Answer 3 · answered Jul 21 '19 at 06:06

Yes, you're asumption is right. Mounting into the root folder will This is why we usually mount secrets under different folder, like /senstivie. I never tried @KOk , but it looks interesting - I'll be interesting to learn if it worked!

Anyway, if you want to see a real working example - this is the volume mount definition and this is the Dockerfile for an OSS project I built (Kamus, a solution for secrets encryption). It's similar to your use case - dotnet core, with appsettings.secrets.json. Please let me know if it didn't helped.

kubernetes secret items not mounted as file path

3 Answers3

Linked