MPCONFIG Secret Dir: support secrets in subdirectories / FISH-788

[poikilotherm]

Description

Let's provide support for K8s secret volume mounts in subdirectories of the MPCONFIG secret dir.

Expected Outcome

(See context first)

You should be able to mount the secrets to a folder named /secrets/dataverse.db, creating the secret files inside of it.
Then you should be able to retrieve the secret via @ConfigProperty("dataverse.db.username") etc.

Current Outcome

It will be very hard to reference these and avoid name clashing with MPCONFIG with the current implementation in https://github.com/payara/Payara/blob/master/nucleus/payara-modules/nucleus-microprofile/config-service/src/main/java/fish/payara/nucleus/microprofile/config/source/SecretsDirConfigSource.java

You have to maintain a flat file / secret structure, which is not fostering reusing Secrets and writing them in a human-friendly way. (To stay with the example above, you could create a secret with the key "dataverse.db.username", but this wouldn't be easily reusable in other places).

Context (Optional)

When using with Kubernetes, you might create secrets for using with your application. Let's assume a Secret for Postgres:

apiVersion: v1
kind: Secret
metadata:
  name: dataverse-postgresql
type: Opaque
stringData:
  username: dataverse
  password: changeme

If you want to use this secret with Payara, you should be mounting it to a directory (env vars are insecure), let's say /secrets:

volumeMounts:
  - name: db-secret
    mountPath: /secrets
volumes:
  - name: db-secret
    secret:
      secretName: dataverse-postgresql

You will find two files in the folder of your container:

$ ls -1 /secrets
username
password

Environment

• Payara Version: 5.2020.6
• Edition: Full
• JDK Version: 8
• Operating System: Linux
• Database: PostgreSQL
• Application: Dataverse

[poikilotherm]

I would be happy to provide a code contribution for this, if you agree.

It should be fairly easy to implement, depending on how much effort we agree while searching the secret file based on the property name.

[AlanRoth]

Hi @poikilotherm,

If you wish to contribute then we are more than happy to accept. We encourage the community to help make Payara better whenever we can! Once you submit a PR linked to this issue I will create an internal ticket and set the status of this issue as accepted.

Thank you,
Alan

[poikilotherm]

Hi @AlanRoth I just created a PR for this.
Please let me know if anything is missing, what you folks think and if the size of the PR is fine as is. Happy to reshape if necessary.

[AlanRoth]

Hi @poikilotherm,

Thank you for your submission. The PR looks good, I have created an internal issue FISH-788, we will need you to sign a CLA which I'll send details on how to do that on the actual PR - it isn't too much bother.

Thanks again,
Alan

[poikilotherm]

@AlanRoth would you like me to add a few words to https://github.com/payara/Payara-Community-Documentation/tree/master/docs/modules/ROOT/pages/documentation/microprofile/config#config-secrets-directory-configuration about usage with sub directories? The current doc isn't very user friendly - took me a while and reading through source code to understand how it works.

[AlanRoth]

@poikilotherm, If you're happy to contribute you are more than welcome! Thank you.

[poikilotherm]

@AlanRoth I created payara/Payara-Community-Documentation#114