Generate secret projections for Knative serving
Pre-release
Pre-release
Changelog:
- Generate secret projections for Knative serving c9544f5
This commit projects secrets into the Knative CRD YAML, however
it appears that the CRD validator for the Service object will
now allow multiple volumes to be mounted into the same directory
which breaks compatiability with OpenFaaS on Kubernetes.
A separate directory is used for each secret with the key so
that "aws" will be mounted at /var/openfaas/secrets/aws/name.
$ cat stack.yml
provider:
name: openfaas
gateway: http://127.0.0.1:8080 # can be a remote server
network: "func_functions" # this is optional and defaults to func_functions
functions:
secret-print:
image: functions/alpine:latest
environment:
fprocess: "cat /var/openfaas/secrets/alex/name"
secrets:
- alex
- matias
Produces:
faas-cli generate --api serving.knative.dev/v1alpha1
---
apiVersion: serving.knative.dev/v1alpha1
kind: Service
metadata:
name: secret-print
namespace: openfaas-fn
spec:
runLatest:
configuration:
revisionTemplate:
spec:
container:
image: functions/alpine:latest
env:
- name: fprocess
value: cat /var/openfaas/secrets/alex/name
volumeMounts:
- name: alex
mountPath: /var/openfaas/secrets/alex
readOnly: true
- name: matias
mountPath: /var/openfaas/secrets/matias
readOnly: true
volumes:
- name: alex
secret:
secretName: alex
- name: matias
secret:
secretName: matias