Add support for subPath in secrets volumes (#149)

autero1 · web-flow · commit cd1f8a347932 · 2022-11-04T07:17:06.000+02:00
* Add support for subPath in secrets volumes

* [skip ci] Fix code comments
diff --git a/charts/k8s-service/templates/_deployment_spec.tpl b/charts/k8s-service/templates/_deployment_spec.tpl
@@ -317,6 +317,9 @@ spec:
             {{- if eq $value.as "volume" }}
             - name: {{ $name }}-volume
               mountPath: {{ quote $value.mountPath }}
+              {{- if $value.subPath }}
+              subPath: {{ quote $value.subPath }}
+              {{- end }}
             {{- end }}
           {{- end }}
           {{- range $name, $value := .Values.persistentVolumes }}
diff --git a/charts/k8s-service/values.yaml b/charts/k8s-service/values.yaml
@@ -559,6 +559,10 @@ emptyDirs: {}
 #     : For Secrets mounted as a volume, specify the mount path on the container file system where the secrets will be
 #       available. Required when the Secret is exposed as a volume. Ignored when the Secret is exposed as environment
 #       variables.
+#   - subPath (string)
+#     : For Secrets mounted as a volume, specify the sub path on the volume system where the secret values will be
+#       available.  Optional when the Secret is exposed as a volume. Ignored when the Secret is exposed as
+#       environment variables.
 #   - items (map[SecretItem])
 #     : Specify how each Secret value should be made available. The keys are the key of the Secret that you wish to
 #       configure, while the value is another map that controls how that key should be exposed. Required when the Secret
diff --git a/test/k8s_service_config_injection_template_test.go b/test/k8s_service_config_injection_template_test.go
@@ -1,3 +1,4 @@
+//go:build all || tpl
 // +build all tpl
 
 // NOTE: We use build flags to differentiate between template tests and integration tests so that you can conveniently
@@ -194,6 +195,44 @@ func TestK8SServiceVolumeConfigMapAddsVolumeAndVolumeMountWithoutSubPathToPod(t
 	assert.Empty(t, volumeMount.SubPath)
 }
 
+// Test that setting the `secrets` input value with volume include the volume mount for the secret
+// We test by injecting to secrets:
+// secrets:
+//   dbsettings:
+//     as: volume
+//     mountPath: /etc/db
+func TestK8SServiceVolumeSecretAddsVolumeAndVolumeMountWithoutSubPathToPod(t *testing.T) {
+	t.Parallel()
+
+	deployment := renderK8SServiceDeploymentWithSetValues(
+		t,
+		map[string]string{
+			"secrets.dbsettings.as":        "volume",
+			"secrets.dbsettings.mountPath": "/etc/db",
+		},
+	)
+
+	// Verify that there is only one container and only one volume
+	renderedPodContainers := deployment.Spec.Template.Spec.Containers
+	require.Equal(t, len(renderedPodContainers), 1)
+	appContainer := renderedPodContainers[0]
+	renderedPodVolumes := deployment.Spec.Template.Spec.Volumes
+	require.Equal(t, len(renderedPodVolumes), 1)
+	podVolume := renderedPodVolumes[0]
+
+	// Check that the pod volume is a secret volume
+	assert.Equal(t, podVolume.Name, "dbsettings-volume")
+	require.NotNil(t, podVolume.Secret)
+	assert.Equal(t, podVolume.Secret.SecretName, "dbsettings")
+
+	// Check that the pod volume will be mounted
+	require.Equal(t, len(appContainer.VolumeMounts), 1)
+	volumeMount := appContainer.VolumeMounts[0]
+	assert.Equal(t, volumeMount.Name, "dbsettings-volume")
+	assert.Equal(t, volumeMount.MountPath, "/etc/db")
+	assert.Empty(t, volumeMount.SubPath)
+}
+
 // Test that setting the `configMaps` input value with volume include the volume mount and subpath for the config map
 // We test by injecting to configMaps:
 // configMaps:
@@ -234,6 +273,46 @@ func TestK8SServiceVolumeConfigMapAddsVolumeAndVolumeMountWithSubPathToPod(t *te
 	assert.Equal(t, volumeMount.SubPath, "host.txt")
 }
 
+// Test that setting the `secrets` input value with volume include the volume mount and subpath for the secret
+// We test by injecting to secrets:
+// secrets:
+//   dbsettings:
+//     as: volume
+//     mountPath: /etc/db/host.txt
+//     subPath: host.xt
+func TestK8SServiceVolumeSecretAddsVolumeAndVolumeMountWithSubPathToPod(t *testing.T) {
+	t.Parallel()
+
+	deployment := renderK8SServiceDeploymentWithSetValues(
+		t,
+		map[string]string{
+			"secrets.dbsettings.as":        "volume",
+			"secrets.dbsettings.mountPath": "/etc/db/host.txt",
+			"secrets.dbsettings.subPath":   "host.txt",
+		},
+	)
+
+	// Verify that there is only one container and only one volume
+	renderedPodContainers := deployment.Spec.Template.Spec.Containers
+	require.Equal(t, len(renderedPodContainers), 1)
+	appContainer := renderedPodContainers[0]
+	renderedPodVolumes := deployment.Spec.Template.Spec.Volumes
+	require.Equal(t, len(renderedPodVolumes), 1)
+	podVolume := renderedPodVolumes[0]
+
+	// Check that the pod volume is a secret volume
+	assert.Equal(t, podVolume.Name, "dbsettings-volume")
+	require.NotNil(t, podVolume.Secret)
+	assert.Equal(t, podVolume.Secret.SecretName, "dbsettings")
+
+	// Check that the pod volume will be mounted
+	require.Equal(t, len(appContainer.VolumeMounts), 1)
+	volumeMount := appContainer.VolumeMounts[0]
+	assert.Equal(t, volumeMount.Name, "dbsettings-volume")
+	assert.Equal(t, volumeMount.MountPath, "/etc/db/host.txt")
+	assert.Equal(t, volumeMount.SubPath, "host.txt")
+}
+
 // Test that setting the `configMaps` input value with volume and individual file mount paths will set the appropriate
 // settings
 // We test by injecting to configMaps:
