46

I've multiple secrets created from different files. I'd like to store all of them in common directory /var/secrets/. Unfortunately, I'm unable to do that because kubernetes throws 'Invalid value: "/var/secret": must be unique error during pod validation step. Below is an example of my pod definition. 

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: alpine-secret
  name: alpine-secret
spec:
  containers:
  - command:
    - sleep
    - "3600"
    image: alpine
    name: alpine-secret
    volumeMounts:
    - name: xfile
      mountPath: "/var/secrets/"
      readOnly: true
    - name: yfile
      mountPath: "/var/secrets/"
      readOnly: true
  volumes:
  - name: xfile
    secret:
      secretName: my-secret-one
  - name: yfile
    secret:
      secretName: my-secret-two

How can I store files from multiple secrets in the same directory?

Jonas
  • 121,568
  • 97
  • 310
  • 388
Lukasz Dynowski
  • 11,169
  • 9
  • 81
  • 124

4 Answers4

68

Projected Volume

You can use a projected volume to have two secrets in the same directory

Example

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: alpine-secret
  name: alpine-secret
spec:
  containers:
  - command:
    - sleep
    - "3600"
    image: alpine
    name: alpine-secret
    volumeMounts:
    - name: xyfiles
      mountPath: "/var/secrets/"
      readOnly: true
  volumes:
  - name: xyfiles
    projected:
      sources:
      - secret:
          name: my-secret-one
      - secret:
          name: my-secret-two
Lukasz Dynowski
  • 11,169
  • 9
  • 81
  • 124
Jonas
  • 121,568
  • 97
  • 310
  • 388
  • With Openshift I could see all files under the path in the pod's terminal. However, the UI shows the volume is empty. – CCNA Apr 27 '22 at 03:05
6

(EDIT: Never mind - I just noticed @Jonas gave the same answer earlier. +1 from me)

Starting with Kubernetes v1.11+ it is possible with projected volumes:

A projected volume maps several existing volume sources into the same directory.

Currently, the following types of volume sources can be projected:

  • secret
  • downwardAPI
  • configMap
  • serviceAccountToken

This is an example for "... how to use a projected Volume to mount several existing volume sources into the same directory".

apisim
  • 4,036
  • 1
  • 10
  • 16
3

May be subPath (using subPath) will help.

Example:

        volumeMounts:
        - name: app-redis-vol
          mountPath: /app/config/redis.yaml
          subPath: redis.yaml
        - name: app-config-vol
          mountPath: /app/config/app.yaml
          subPath: app.yaml
      volumes:
        - name: app-redis-vol
          configMap:
            name: config-map-redis
            items:
              - key: yourKey
                path: redis.yaml
        - name: app-config-vol
          configMap:
            name: config-map-app
            items:
              - key: yourKey
                path: app.yaml

Here your configMap named config-map-redis created from file redis.yaml mounted in app/config/ as file redis.yaml. Also configMap config-map-app mounted in app/config/ as app.yaml

There is nice article about this here: Injecting multiple Kubernetes volumes to the same directory

Vitaliy Markitanov
  • 2,205
  • 1
  • 24
  • 23
2

Edited: @Jonas answer is correct!

However, if you use volumes as I did in the question then, short answer is you cannot do that, You have to specify mountPath to an unused directory - volumes have to be unique and cannot be mounted to common directory.

Solution: What I did at the end was, instead keeping files in separate secrets, I created one secret with multiple files.

Lukasz Dynowski
  • 11,169
  • 9
  • 81
  • 124
  • 2
    You can do subPath projections in a shared folder, but it would quickly get more complicated than it is worth. – coderanger Nov 27 '19 at 23:12
  • Where does it say that it cannot be mounted to common directory? Is it related to my question [here](https://stackoverflow.com/questions/74779468/how-to-project-kubernetes-secret-at-the-etc-level)? – CaTx Dec 13 '22 at 03:26