Shared secret files

[PhennyOpsta]

feat: This feature allows multiple secret files to be shared using a single secret name.

[gemini-code-assist]

Summary of Changes

Hello @PhennyOpsta, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements a new feature that enhances secret management within Helm charts by allowing users to define and mount multiple files from a single Kubernetes secret. This provides greater flexibility and organization for applications requiring granular secret access, simplifying configuration and improving maintainability.

Highlights

• New Feature: Shared Secret Files: Introduced the ability to mount multiple files from a single Kubernetes secret into a container, enhancing secret management flexibility.
• Helm Chart Template Updates: Modified _volumeMountsRef.yaml and _volumesRef.yaml templates in the common chart to incorporate the new sharedSecretFiles configuration, enabling specific file mounts from a secret.
• Schema and Example Values: Updated values.schema.json with the schema definition for sharedSecretFiles and added a commented-out example in values.yaml to guide users on its usage.
• Automated Testing: Added a new test file (deployment_shared_secret_files_test.yaml) to validate the correct mounting and referencing of shared secret files, including subPath usage.
• Version Bumps: Incremented chart versions across common, cron-job, onechart, and static-site charts, along with corresponding Chart.lock and docs/index.yaml updates to reflect the new feature.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• charts/common/Chart.yaml
  • Chart version bumped from 0.7.0 to 0.8.0.
• charts/common/templates/_volumeMountsRef.yaml
  • Extended volume mounting logic to include sharedSecretFiles, enabling specific file mounts from a secret.
• charts/common/templates/_volumesRef.yaml
  • Updated volume definition logic to support sharedSecretFiles, allowing secrets to be referenced by name for shared file mounts.
• charts/cron-job/Chart.lock
  • Updated the digest and generated timestamp, reflecting the common chart dependency version bump.
• charts/cron-job/Chart.yaml
  • Application chart version updated from 0.77.0 to 0.78.0, and common dependency version updated to 0.8.0.
• charts/onechart/Chart.lock
  • Updated the digest and generated timestamp, reflecting the common chart dependency version bump.
• charts/onechart/Chart.yaml
  • Application chart version updated from 0.77.0 to 0.78.0, and common dependency version updated to 0.8.0.
• charts/onechart/tests/deployment_shared_secret_files_test.yaml
  • New test file added to verify the functionality of mounting and referencing shared secret files, including subPath usage.
• charts/onechart/values.schema.json
  • Added a new schema definition for sharedSecretFiles, detailing its structure for secret name, files, mountPath, and optional subPath.
• charts/onechart/values.yaml
  • Included a commented-out example configuration for sharedSecretFiles to guide users on its usage.
• charts/static-site/Chart.lock
  • Updated the digest and generated timestamp, reflecting the common chart dependency version bump.
• charts/static-site/Chart.yaml
  • Application chart version updated from 0.77.0 to 0.78.0, and common dependency version updated to 0.8.0.
• docs/index.yaml
  • Numerous entries updated with new created timestamps and version bumps for cron-job, onechart, and static-site charts, reflecting the release of new chart versions.

Activity

• The pull request was created by PhennyOpsta with the title "Shared secret files" and a description stating, "This feature allows multiple secret files to be shared using a single secret name."
• No further review comments or activity are available in the provided context.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new feature sharedSecretFiles to mount multiple files from a single secret. While the implementation is largely correct, it's critical to address a YAML injection vulnerability where user-provided values are injected into Helm templates without proper quoting or sanitization. Furthermore, a bug in _volumesRef.yaml can create duplicate volume definitions, potentially leading to invalid Kubernetes manifests. There are also opportunities to improve code readability by simplifying Helm template or conditions and clarifying descriptions in values.schema.json.

[gemini-code-assist]

The value .name is used directly in the YAML template without quotes, which could lead to YAML injection vulnerabilities if an attacker controls the input. Quoting these values ensures they are treated as strings by the YAML parser. Additionally, this loop can create duplicate volume definitions if the .Values.sharedSecretFiles list contains multiple entries with the same secret name, resulting in an invalid Kubernetes manifest.

  - name: {{ .name | quote }}
    secret:
      secretName: {{ .name | quote }}

[gemini-code-assist]

The values $secretName, .mountPath, and .subPath are injected into the YAML template without quotes. This can lead to YAML injection if these values contain newlines or other control characters. It is a security best practice to quote string values in Helm templates to prevent such issues.

    - name: {{ $secretName | quote }}
      mountPath: {{ .mountPath | quote }}
      {{- if .subPath}}
      subPath: {{ .subPath | quote }}

[gemini-code-assist]

The nested or conditions can be simplified into a single or with multiple arguments. This improves readability and makes the code easier to maintain.

{{- if or .Values.volumes .Values.sealedFileSecrets .Values.fileSecrets .Values.existingFileSecrets .Values.sharedSecretFiles -}}

[gemini-code-assist]

The nested or conditions can be simplified into a single or with multiple arguments. This improves readability and makes the code easier to maintain.

{{- if or .Values.volumes .Values.sealedFileSecrets .Values.fileSecrets .Values.existingFileSecrets .Values.sharedSecretFiles}}

[gemini-code-assist]

It would be beneficial to add a test case that verifies the behavior when sharedSecretFiles contains multiple entries for the same secret name. This ensures that duplicate volumes are not created, which would otherwise result in an invalid manifest. This test will help validate the fix for the issue in _volumesRef.yaml.

                secretName: my-existing-secret
  - it: Should handle duplicate secret names correctly
    set:
      sharedSecretFiles:
        - name: my-existing-secret
          files:
            - mountPath: /config/a
              subPath: a.txt
        - name: my-existing-secret
          files:
            - mountPath: /config/b
              subPath: b.txt
    asserts:
      - template: deployment.yaml
        documentIndex: 0
        equal:
          path: spec.template.spec.volumes
          value:
            - name: my-existing-secret
              secret:
                secretName: my-existing-secret
      - template: deployment.yaml
        documentIndex: 0
        isSubset:
          path: spec.template.spec.containers[0].volumeMounts
          content:
            - mountPath: /config/a
              name: my-existing-secret
              subPath: a.txt
              readOnly: true
            - mountPath: /config/b
              name: my-existing-secret
              subPath: b.txt
              readOnly: true

[gemini-code-assist]

The description for subPath could be more precise. When subPath is omitted, all keys in the secret are mounted as files, not the entire secret as a single file. Clarifying this will help users understand the behavior better.

Suggested change

	"description": "Optional file inside the secret to mount (mounts entire secret if omitted)"
	"description": "The key of the secret to mount. If not specified, all keys from the secret will be mounted as files in the directory specified by `mountPath`."