Skip to content

Shared secret files #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
KantharakornPH merged 2 commits into from
Feb 6, 2026
Merged

Shared secret files #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5eee07c
Add sharedSecretFiles
PhennyOpsta Feb 6, 2026
bde4478
update cron-job,static-site , Doc
PhennyOpsta Feb 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/common/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,4 @@ type: library
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.7.0
version: 0.8.0
15 changes: 13 additions & 2 deletions charts/common/templates/_volumeMountsRef.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{{- define "common.volumeMountsRef.tpl" -}}
{{- if or (or (or (.Values.volumes) (.Values.sealedFileSecrets)) .Values.fileSecrets) .Values.existingFileSecrets -}}
{{- if or (or (or (or (.Values.volumes) (.Values.sealedFileSecrets)) .Values.fileSecrets) .Values.existingFileSecrets) .Values.sharedSecretFiles -}}
Copy link

@gemini-code-assist gemini-code-assist bot Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The nested or conditions can be simplified into a single or with multiple arguments. This improves readability and makes the code easier to maintain.

{{- if or .Values.volumes .Values.sealedFileSecrets .Values.fileSecrets .Values.existingFileSecrets .Values.sharedSecretFiles -}}

volumeMounts:
{{- range .Values.volumes }}
{{- if not (hasPrefix "init-" .name) }}
Expand All @@ -9,7 +9,7 @@ volumeMounts:
subPath: {{ .subPath }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- range .Values.sealedFileSecrets }}
- name: {{ .name }}
mountPath: {{ .path }}
Expand All @@ -34,6 +34,17 @@ volumeMounts:
{{- end }}
readOnly: true
{{- end }}
{{- range .Values.sharedSecretFiles }}
{{- $secretName := .name }}
{{- range .files }}
- name: {{ $secretName }}
mountPath: {{ .mountPath }}
{{- if .subPath}}
subPath: {{ .subPath }}
Comment on lines +40 to +43
Copy link

@gemini-code-assist gemini-code-assist bot Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

The values $secretName, .mountPath, and .subPath are injected into the YAML template without quotes. This can lead to YAML injection if these values contain newlines or other control characters. It is a security best practice to quote string values in Helm templates to prevent such issues.

    - name: {{ $secretName | quote }}
      mountPath: {{ .mountPath | quote }}
      {{- if .subPath}}
      subPath: {{ .subPath | quote }}

{{- end }}
readOnly: true
{{- end }}
{{- end }}
{{- end }}
{{- end }}

7 changes: 6 additions & 1 deletion charts/common/templates/_volumesRef.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{{- define "common.volumesRef.tpl" }}
{{- if or (or (or (.Values.volumes) (.Values.sealedFileSecrets)) .Values.fileSecrets) .Values.existingFileSecrets }}
{{- if or (or (or (or (.Values.volumes) (.Values.sealedFileSecrets)) .Values.fileSecrets) .Values.existingFileSecrets) .Values.sharedSecretFiles}}
Copy link

@gemini-code-assist gemini-code-assist bot Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The nested or conditions can be simplified into a single or with multiple arguments. This improves readability and makes the code easier to maintain.

{{- if or .Values.volumes .Values.sealedFileSecrets .Values.fileSecrets .Values.existingFileSecrets .Values.sharedSecretFiles}}

volumes:
{{- range .Values.volumes }}
- name: {{ .name }}
Expand Down Expand Up @@ -44,5 +44,10 @@ volumes:
secret:
secretName: {{ .name }}
{{- end }}
{{- range .Values.sharedSecretFiles }}
- name: {{ .name }}
secret:
secretName: {{ .name }}
Comment on lines +48 to +50
Copy link

@gemini-code-assist gemini-code-assist bot Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

The value .name is used directly in the YAML template without quotes, which could lead to YAML injection vulnerabilities if an attacker controls the input. Quoting these values ensures they are treated as strings by the YAML parser. Additionally, this loop can create duplicate volume definitions if the .Values.sharedSecretFiles list contains multiple entries with the same secret name, resulting in an invalid Kubernetes manifest.

  - name: {{ .name | quote }}
    secret:
      secretName: {{ .name | quote }}

{{- end }}
{{- end }}
{{- end }}
6 changes: 3 additions & 3 deletions charts/cron-job/Chart.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
dependencies:
- name: common
repository: file://../common
version: 0.7.0
digest: sha256:a97ffdc0ab67ba57b6fb03ab3f98bbbc488f0630f2160b75e937c27d19a2fa08
generated: "2024-09-09T08:36:50.170556891Z"
version: 0.8.0
digest: sha256:ffc064a8d35b9d9d6e48490b41d0caef00096b0c8f9d1b773dfd9380efdff440
generated: "2026-02-06T16:56:07.364305478+07:00"
4 changes: 2 additions & 2 deletions charts/cron-job/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,9 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.77.0
version: 0.78.0

dependencies:
- name: common
version: 0.7.0
version: 0.8.0
repository: file://../common
Binary file removed charts/cron-job/charts/common-0.7.0.tgz
View file
Open in desktop
Binary file not shown.
Binary file added charts/cron-job/charts/common-0.8.0.tgz
View file
Open in desktop
Binary file not shown.
6 changes: 3 additions & 3 deletions charts/onechart/Chart.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
dependencies:
- name: common
repository: file://../common
version: 0.7.0
digest: sha256:a97ffdc0ab67ba57b6fb03ab3f98bbbc488f0630f2160b75e937c27d19a2fa08
generated: "2024-09-09T08:36:50.067911383Z"
version: 0.8.0
digest: sha256:ffc064a8d35b9d9d6e48490b41d0caef00096b0c8f9d1b773dfd9380efdff440
generated: "2026-02-06T14:23:44.297299351+07:00"
4 changes: 2 additions & 2 deletions charts/onechart/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,9 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.77.0
version: 0.78.0

dependencies:
- name: common
version: 0.7.0
version: 0.8.0
repository: file://../common
Binary file removed charts/onechart/charts/common-0.7.0.tgz
View file
Open in desktop
Binary file not shown.
Binary file added charts/onechart/charts/common-0.8.0.tgz
View file
Open in desktop
Binary file not shown.
54 changes: 54 additions & 0 deletions charts/onechart/tests/deployment_shared_secret_files_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
suite: test deployment
templates:
- deployment.yaml
- configmap.yaml
- pvc.yaml
tests:
- it: Should mount volume
set:
sharedSecretFiles:
- name: my-existing-secret
files:
- mountPath: /config
asserts:
- template: deployment.yaml
documentIndex: 0
equal:
path: spec.template.spec.containers[0].volumeMounts
value:
- mountPath: /config
name: my-existing-secret
readOnly: true
- it: Should mount volume with optional subPath
set:
sharedSecretFiles:
- name: my-existing-secret
files:
- mountPath: /config/config.yaml
subPath: config.yml
asserts:
- template: deployment.yaml
documentIndex: 0
equal:
path: spec.template.spec.containers[0].volumeMounts
value:
- name: my-existing-secret
mountPath: /config/config.yaml
subPath: config.yml
readOnly: true
- it: Should reference volume
set:
sharedSecretFiles:
- name: my-existing-secret
files:
- mountPath: /config/config.yaml
subPath: config.yml
asserts:
- template: deployment.yaml
documentIndex: 0
equal:
path: spec.template.spec.volumes
value:
- name: my-existing-secret
secret:
secretName: my-existing-secret
Copy link

@gemini-code-assist gemini-code-assist bot Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

It would be beneficial to add a test case that verifies the behavior when sharedSecretFiles contains multiple entries for the same secret name. This ensures that duplicate volumes are not created, which would otherwise result in an invalid manifest. This test will help validate the fix for the issue in _volumesRef.yaml.

                secretName: my-existing-secret
  - it: Should handle duplicate secret names correctly
    set:
      sharedSecretFiles:
        - name: my-existing-secret
          files:
            - mountPath: /config/a
              subPath: a.txt
        - name: my-existing-secret
          files:
            - mountPath: /config/b
              subPath: b.txt
    asserts:
      - template: deployment.yaml
        documentIndex: 0
        equal:
          path: spec.template.spec.volumes
          value:
            - name: my-existing-secret
              secret:
                secretName: my-existing-secret
      - template: deployment.yaml
        documentIndex: 0
        isSubset:
          path: spec.template.spec.containers[0].volumeMounts
          content:
            - mountPath: /config/a
              name: my-existing-secret
              subPath: a.txt
              readOnly: true
            - mountPath: /config/b
              name: my-existing-secret
              subPath: b.txt
              readOnly: true

58 changes: 56 additions & 2 deletions charts/onechart/values.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
"repository": "nginx",
"tag": "latest"
},
"imagePullSecrets" : [],
"imagePullSecrets": [],
"replicas": 1,
"nameOverride": "",
"fullnameOverride": "",
Expand Down Expand Up @@ -130,7 +130,7 @@
]
}
},
"imagePullSecrets" : {
"imagePullSecrets": {
"$id": "#/properties/imagePullSecrets",
"type": "array",
"title": "ImagePull Secrets",
Expand Down Expand Up @@ -901,6 +901,60 @@
]
}
},
"sharedSecretFiles": {
"$id": "#/properties/sharedSecretFiles",
"type": "array",
"title": "Shared Secret Files",
"description": "Allows mounting multiple files from existing secrets into a container",
"default": [],
"additionalItems": true,
"items": {
"$id": "#/properties/sharedSecretFiles/items",
"type": "object",
"anyOf": [
{
"id": "#/properties/sharedSecretFiles/oneOf/0",
"title": "sharedSecretFiles",
"type": "object",
"properties": {
"name": {
"type": "string",
"title": "Secret Name",
"description": "The name of the existing secret to mount"
},
"files": {
"type": "array",
"title": "Files",
"description": "List of files to mount from this secret",
"default": [],
"items": {
"type": "object",
"required": [
"mountPath"
],
"properties": {
"mountPath": {
"type": "string",
"title": "Mount Path",
"description": "The mount path inside the container"
},
"subPath": {
"type": "string",
"title": "SubPath",
"description": "Optional file inside the secret to mount (mounts entire secret if omitted)"
Copy link

@gemini-code-assist gemini-code-assist bot Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The description for subPath could be more precise. When subPath is omitted, all keys in the secret are mounted as files, not the entire secret as a single file. Clarifying this will help users understand the behavior better.

Suggested change
"description": "Optional file inside the secret to mount (mounts entire secret if omitted)"
"description": "The key of the secret to mount. If not specified, all keys from the secret will be mounted as files in the directory specified by `mountPath`."

}
}
}
}
},
"required": [
"name",
"files"
]
}
]
}
},
"volumes": {
"$id": "#/properties/volumes",
"type": "array",
Expand Down
10 changes: 9 additions & 1 deletion charts/onechart/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,14 @@ monitor:

container: {}
podSpec: {}

# service:
# enabled: false

# sharedSecretFiles:
# - name: opsta-secret
# files:
# - mountPath: /etc/conf/config.json
# subPath: config.json
# - mountPath: /etc/app/template.yaml
# subPath: template.yaml

6 changes: 3 additions & 3 deletions charts/static-site/Chart.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
dependencies:
- name: common
repository: file://../common
version: 0.7.0
digest: sha256:a97ffdc0ab67ba57b6fb03ab3f98bbbc488f0630f2160b75e937c27d19a2fa08
generated: "2024-09-09T08:36:50.241133151Z"
version: 0.8.0
digest: sha256:ffc064a8d35b9d9d6e48490b41d0caef00096b0c8f9d1b773dfd9380efdff440
generated: "2026-02-06T16:56:24.024306149+07:00"
4 changes: 2 additions & 2 deletions charts/static-site/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,9 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.77.0
version: 0.78.0

dependencies:
- name: common
version: 0.7.0
version: 0.8.0
repository: file://../common
Binary file removed charts/static-site/charts/common-0.7.0.tgz
View file
Open in desktop
Binary file not shown.
Binary file added charts/static-site/charts/common-0.8.0.tgz
View file
Open in desktop
Binary file not shown.
Binary file removed common-0.6.0.tgz
View file
Open in desktop
Binary file not shown.
Binary file added common-0.8.0.tgz
View file
Open in desktop
Binary file not shown.
Binary file added docs/cron-job-0.78.0.tgz
View file
Open in desktop
Binary file not shown.
Loading