Mount previously created secret just using labels in a new deployment

We want to enable users to mount one secret on a workload (deployment) automatically if the workload has specific label or annotation set. Users should either be able to mount the entire secret as volume or just a key:value pair. You can make rest of the decision as you want to.

Once the application is running, user can mount a secret as a VolumeMount automatically along with a deployment creation.

Just create a secret as you normally would as shown in the sample secret below;

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: test-secret
stringData:
  name: Shlok Chaudhari
  age: "23"
  designation: Software Engineer

Next, create a normal deployment with the mandatory label 'secret-name=actual-secret-name' as seen below;

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: test-deployment
    secret-name: test-secret
  name: test-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test-deployment
  template:
    metadata:
      labels:
        app: test-deployment
    spec:
      containers:
      - command:
        - ping
        - 8.8.8.8
        image: busybox:latest
        name: busybox

Resultant deployment will have all keys:values from secret test-secret present under path /etc/secret-mounter-data/ inside the pod container

To mount specific keys:values use the optional label 'secret-keys=key1.key2.key3'. Refer following sample deployment YAML for usage;

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: test-deployment
    secret-name: test-secret
    secret-keys: name.age
  name: test-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test-deployment
  template:
    metadata:
      labels:
        app: test-deployment
    spec:
      containers:
      - command:
        - ping
        - 8.8.8.8
        image: busybox:latest
        name: busybox

Resultant deployment will have mentioned keys:values from secret test-secret present under path /etc/secret-mounter-data/ inside the pod container

Prerequisites: A k8s cluster and a kubectl CLI configured to interact with the cluster

Step 1: Download or clone this repository

Step 2: Run following command to install the application on your k8s-cluster

> kubectl apply -f secret-mounter/manifests/

Step 3: Wait for pods in secret-mounter namespace to reach 'Running' state

Create secret and deployment with mentioned labels

> kubectl apply -f secret-mounter/test

Run the following command to check secrets in the pod container for above deployment

> kubectl exec -it test-deployment-<hash-value-of-running-pod> -n default -- ls /etc/secret-mounter-data/

Required keys from the labels should be displayed as individual files. Contents to which will be the associated values.

Make sure the deployment is created in the same namespace as the secret.

Thank you :)