Allow users to specify which keys to load from a secret to customCAs
Summary
Our current implementation of customCAs takes only secret names, and loads all the keys in the secret. This means, to avoid collisions users have to manually make sure all keys across all secrets specified to customCAs are unique. This is not ideal.
Proposal
Let users provide a list of keys to be loaded from a secret passed to customCAs
. Something like
customCAs:
- secret: my-first-secret
keys:
- foo.txt
- secret: my-second-secret
keys:
- bar.crt
- secret: my-third-secret
keys:
- bar.crt
- secret: my-fourth-secret
For any secrets where user has provided a list of keys, only mount those keys. Also, mount them to a non-conflicting path by appending the secret name. So, something like
--- a/templates/_certificates.tpl
+++ b/templates/_certificates.tpl
@@ -29,6 +29,13 @@
{{- range $index, $customCA := .Values.global.certificates.customCAs }}
- secret:
name: {{ $customCA.secret }}
+ {{- if $customCA.keys }}
+ items:
+ {{- range $itemIndex, $customCAKey := $customCA.keys }}
+ - key: $customCAKey
+ path: $customCA.secret-$customCAKey
+ {{- end }}
+ {{- end }}
# items not specified, will mount all keys
{{- end }}
{{- if not (or $.Values.global.ingress.configureCertmanager $.Values.global.ingress.tls) }}
So, in the above example
-
foo.txt
key ofmy-first-secret
will be mounted asmy-first-secret-foo.txt
-
bar.crt
key ofmy-second-secret
will be mounted asmy-second-secret-bar.crt
-
bar.crt
key ofmy-third-secret
will be mounted asmy-third-secret-bar.crt
, thus not conflicting with the abovebar.crt
one. - All keys of
my-fourth-secret
will be mounted using their own names.
The catch here is the last one. If users don't specify a list of keys, they are still responsible for ensuring uniqueness of all keys in that secret. (This is because we have no way to iterate through all keys of a secret and mount them to a specific path based on their name)
This proposal at least makes it easier to prevent collision. Originated from a discussion at !969 (comment 223658179)