I have 3 different Kubernetes Secrets and I want to mount each one into its own Pod managed by a StatefulSet with 3 replicas.
Is it possible to configure the StatefulSet such that each Secret is mounted into its own Pod?
2 Answers
2
votes
Not really. A StatefulSet (and any workload controller for that matter) allows only a single pod definition template (it could have multiple containers). The issue with this is that a StatefulSet is designed to have N replicas so can you have an N number of secrets. It would have to be a SecretStatefulSet: a different controller.
Some solutions:
You could define a single Kubernetes secret that contains all your required secrets for all of your pods. The downside is that you will have to share the secret between the pods. For example:
apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: pod1: xxx pod2: xxx pod3: xxx ... podN: xxxUse something like Hashicorp's Vault and store your secret remotely with keys such as
pod1,pod2,pod3,...podN. You can also use an HSM. This seems to be the more solid solution IMO but it might take longer to implement.
In all cases, you will have to make sure that the number of secrets matches your number of pods in your StatefulSet.
-1
votes
This is exactly what you're looking for I guess. https://github.com/spoditor/spoditor
Essentially, it uses a custom annotation on the PodSpec template, like:
annotations:
spoditor.io/mount-volume: |
{
"volumes": [
{
"name": "my-volume",
"secret": {
"secretName": "my-secret"
}
}
],
"containers": [
{
"name": "nginx",
"volumeMounts": [
{
"name": "my-volume",
"mountPath": "/etc/secrets/my-volume"
}
]
}
]
}
Now, nginx container in each Pod of the StatefulSet will try to mount its own dedicated secret in the pattern of my-secret-{pod ordinal}.
You will just need to make sure my-secret-0, my-secret-1, so on and so forth exists in the same namespace of the StatefulSet.
There're more advanced usage of the annotation in the documentation of the project.
