0

There is a init container which copies keystore.jks from nexus repo into a volume during the build of docker file via curl. Then once the init container is alive the python code that takes that keystore.jks and makes necessary updates then init container dies. What we are trying to do is to store this keystore.jks as a secret in openshift BUT how to copy secret into volume once init container is alive? so that python code can use it as it was before? Thanks in advance for any comments/help!

hkacmaz
  • 41
  • 1
  • 1
  • 5
  • Just [mount the secret in the init container](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod), and then copy things into your target volume: or better yet, don't bother copying, and just mount the secret in the final container and point your Python code at the appropriate location. – larsks Apr 07 '21 at 17:18

1 Answers1

1

As @larsks suggests you can mount the secret to volume and use it for the main container.

here sharing YAML configuration that might help you understand.

apiVersion: v1
kind: Secret
metadata:
  name: ssh-key
  namespace: acme
data:
  id_rsa: {{ secret_value_base64_encoded }}

now adding secret to mount path

spec:
  template:
    spec:
      containers:
      - image: "my-image:latest"
        name: my-app
        ...
        volumeMounts:
          - mountPath: "/var/my-app"
            name: ssh-key
            readOnly: true
     initContainers:
     - command:
     - sh
     - -c
     - chown -R 1000:1000 /var/my-app #if any changes required
     image: busybox:1.29.2
     name: set-dir-owner
     securityContext:
       privileged: true
     volumeMounts:
     - mountPath: /var/my-app
       name: ssh-key
    volumes:
        - name: ssh-key
          secret:
            secretName: ssh-key

as suggested better option is to directly mount the secret to the main container without init contianer.

spec:
  template:
    spec:
      containers:
      - image: "my-image:latest"
        name: my-app
        ...
        volumeMounts:
          - mountPath: "/var/my-app"
            name: ssh-key
            readOnly: true
      volumes:
        - name: ssh-key
          secret:
            secretName: ssh-key
Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
  • Secret is already added, we don't need to add secret in the YAML, but my question is; there are two containers in this YAML and both has volume added I guess? Main container already set up to use volume so we do we need to worry about it? Does it need to be in the same YAML? just initContainer need to get secret into /tmp/src/dep/config/ then when it dies other containers will use that secret from that volume. Also what should be the ApiVersion and metadata and kind of the YAML above? I am just confused? – hkacmaz Apr 15 '21 at 09:59
  • api version will be `deployment` init container will add the secret to volume mount path and get removed. – Harsh Manvar Dec 07 '21 at 04:26