Add support for file based secret

[hangyan]

related to #296

Notes:

1. External secret is not supported
2. may have conflict with Add support for Config, endpoint_mode and 3.3 support #994
3. import a new package cast(https://github.com/spf13/cast)

[hangyan]

/assign cdrage
/assign kadel

[cdrage]

@hangyan Please separate the commits between code change and vendor update so we can review!

[hangyan]

@cdrage Done. Thanks!

[cdrage]

Hey @hangyan I see some still work-in-progress code, is this ready for review?

[cdrage]

I think this needs to be removed 🤣

[hangyan]

@cdrage So sorry for this , totally forgot this debug info.

[cdrage]

Remove commented out code

[cdrage]

Remove commented out code?

[hangyan]

@cdrage This is ready for review. But i have started too long ago and forgot to remove some useless code before this review. Sorry about that! Will be more carefully about this in the future

[cdrage]

Since this code is no longer needed, please remove the commented out code 👍 @hangyan

[cdrage]

I will have to test this out, but other than a few comments, the code is great!

Just add more comments please to the code so future programmers can better understand what is happening, otherwise, looks amazing to me!

[cdrage]

Since this code is no longer needed, please remove the commented out code 👍 @hangyan

[cdrage]

add spacing after "file:"

[cdrage]

small grammar mistake, should be "is not currently supported"

[cdrage]

Are you able to comment on some of the code above as to what's happening?

[cdrage]

Maybe add something different such as "Unable to create secrets" or something more descriptive? Not too sure what type of error message to add.

[cdrage]

Add comment above here explaining that we are adding secrets to volumes

[cdrage]

Progress @hangyan ?

[hangyan]

@cdrage Sorry, been very busy these days on my work. Working on this now.

[hangyan]

@cdrage Updated

[hangyan]

conflict resolved

[jvitor83]

@cdrage is this good? will be merged?
I need that feature.

[jvitor83]

@hangyan
This shouldn't be MountPath: "/run/secrets/" + vol.Name, ???

Because without the MountPath targeting to the secret, it gives a error:

RunContainerError: failed to start container "f97d9e9354548939d15acae70758347538426fbb05c80f2a5cd316dc67e7bf58": 

Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused "process_linux.go:359: 

container init caused \"rootfs_linux.go:54: 
mounting \\\"/opt/rke/var/lib/kubelet/pods/516c135b-bce8-11e8-8714-005056ae708d/volumes/kubernetes.io~secret/default-token-khnzc\\\" 
to rootfs \\\"/var/lib/docker/overlay/60fb5d9a4007bf8e1889898df737b275cb77431351b9168ab4d629fbcdf065b5/merged\\\" 
at \\\"/var/lib/docker/overlay/60fb5d9a4007bf8e1889898df737b275cb77431351b9168ab4d629fbcdf065b5/merged/run/secrets/kubernetes.io/serviceaccount\\\" 
caused \\\"mkdir /var/lib/docker/overlay/60fb5d9a4007bf8e1889898df737b275cb77431351b9168ab4d629fbcdf065b5/merged/run/secrets/kubernetes.io: read-only file system\\\"\""

Just like in this issue: kubernetes/kubernetes#65835

And concating the secret name, it work!

[jvitor83]

With some research i discover that:

kubernetes

kubectl create secret generic my_secret --from-literal=my_secret_key_1=my_secret_value_1 --from-literal=my_secret_key_2=my_secret_value_2

it create a file /run/secrets/my_secret/my_secret_key_1 (with the content my_secret_value_1)

docker-compose/swarm

• with short syntax:

...
    secrets:
      - my_secret
secrets:
  my_secret:
    file: my_secret.txt

it create a file /run/secrets/my_secret

don't allow to be compatible with kubernetes

• with long syntax:

...
    secrets:
      - source: some_secret
        target: my_secret/my_secret_key
secrets:
  some_secret:
    file: my_secret.txt

it create a file /run/secrets/my_secret/my_secret_key

allow to be compatible with kubernetes

---

I believe that this PR:

• shouldn't allow to use short-syntax, or if allow, to at least concat the secret name as directory (as my previous comment suggest to avoid the error).
• only allow long-syntax if has at least inside one directory to be compatible with kubernetes, or at least concat the secret name as directory

Maybe concat the secret name as directory (by default) for the path can be the solution!?!

[hangyan]

@jvitor83 Sorry about the late response. I have re-checked the document of kubernetes and docker. I have different opinion on this problem. kompose is meant to translate compose to kubernetes as precision as possible. Because docker mount the secret to /run/secrets/<secret-name>, so this path should be the same in kubernetes, not /run/secrets/<secret-name>/<key>. I believe the right choice is to use subPath ( you can see a example in the issues link you provide)

[jvitor83]

I get it that "kompose is meant to translate compose to kubernetes as precision as possible", but it didn't work with the k8s generated!
The generated mapping gives error (mentioned before) and the pod didn't start!

By my understanding, the generated files should work in first place to then keep the translation as precise as possible.

I guess we should remove the short syntax once it is incompatible and don't allow to get the file at the same path.

[hangyan]

The issue link you provide has a solution in the end:subPath. I think it's a better solution, i haven't test it out, but I think it should work

[jvitor83]

@hangyan
I am not understanding what you mean.

The thing is that this PR is generating:

        volumeMounts:
        - name: secret-name
          mountPath: "/run/secrets"

which gives the error reported.
The issue (kubernetes/kubernetes#65835) was solved not because it put the subPath, but because the directory was added to the mountPath. (I think the issue author have been mistaken)
If the kompose generate the k8s without the mountPath with a directory (with secret using short-syntax), it will give error on start. I have tested it with openjdk, dotnet and others. All gives the same error.

What you are suggesting to do?
If is to: "modify the code to add the subPath", it will continue to give the error.

I think we have to at least put some warning saying that secrets with short-syntax is not recommended and can gives error.

[jvitor83]

@hangyan , i create a PR ( https://github.com/hangyan/kompose/pull/3/files ) to your secret-support branch (PR) which:

• Fix the issue reported at Add support for file based secret #1007 (comment)
• Added support to long-syntax with absolute path

[hangyan]

@jvitor83 Great. Thanks very much. I will review this again ASAP. But since there are not so many active maintainers for this project, this PR may take a long time to be merged in. I'm afraid of you will have to build the binary yourself based on this branch.

[jvitor83]

I'm afraid of you will have to build the binary yourself based on this branch.

Already did it!
Thanks for the feedback.

[cdrage]

@hangyan if you want @jvitor83 you can always do a branch of this PR, push your changes and open a new PR. I don't think @hangyan would mind if you continue on his awesome work 👍

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: cdrage

If they are not already assigned, you can assign the PR to them by writing /assign @cdrage in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

[k8s-ci-robot]

@fejta-bot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.