Mounting a Secret or a ConfigMap as a file or an environment variable into a Che container
Secrets are Kubernetes or OpenShift objects that store sensitive data such as:
-
usernames
-
passwords
-
authentication tokens
in an encrypted form.
Users can mount a Kubernetes or OpenShift Secret that contains sensitive data or a ConfigMap that contains configuration in a Che managed containers as:
-
a file
-
an environment variable
The mounting process uses the standard Kubernetes or OpenShift mounting mechanism, but it requires additional annotations and labeling.
Mounting a Secret or a ConfigMap as a file into a Che container
-
A running instance of Eclipse Che.
-
Create a new Kubernetes or OpenShift Secret or a ConfigMap in the Kubernetes or OpenShift namespace where a Che is deployed. The labels of the object that is about to be created must match the set of labels:
-
app.kubernetes.io/part-of: che.eclipse.org -
app.kubernetes.io/component: <DEPLOYMENT_NAME>-<OBJECT_KIND> -
The
<DEPLOYMENT_NAME>corresponds to the one following deployments:-
keycloak -
devfile-registry -
plugin-registry -
cheand
-
-
<OBJECT_KIND>is either:-
secretor
-
configmap
-
-
apiVersion: v1
kind: Secret
metadata:
name: custom-settings
labels:
app.kubernetes.io/part-of: che.eclipse.org
app.kubernetes.io/component: che-secret
...or
apiVersion: v1
kind: ConfigMap
metadata:
name: custom-settings
labels:
app.kubernetes.io/part-of: che.eclipse.org
app.kubernetes.io/component: che-configmap
...Annotations must indicate that the given object is mounted as a file.
-
Configure the annotation values:
-
che.eclipse.org/mount-as: file- To indicate that a object is mounted as a file. -
che.eclipse.org/mount-path: <TARGET_PATH>- To provide a required mount path.
-
apiVersion: v1
kind: Secret
metadata:
name: custom-data
annotations:
che.eclipse.org/mount-as: file
che.eclipse.org/mount-path: /data
labels:
...or
apiVersion: v1
kind: ConfigMap
metadata:
name: custom-data
annotations:
che.eclipse.org/mount-as: file
che.eclipse.org/mount-path: /data
labels:
...The Kubernetes object can contain several items whose names must match the desired file name mounted into the container.
apiVersion: v1
kind: Secret
metadata:
name: custom-data
labels:
app.kubernetes.io/part-of: che.eclipse.org
app.kubernetes.io/component: che-secret
annotations:
che.eclipse.org/mount-as: file
che.eclipse.org/mount-path: /data
data:
ca.crt: <base64 encoded data content here>or
apiVersion: v1
kind: ConfigMap
metadata:
name: custom-data
labels:
app.kubernetes.io/part-of: che.eclipse.org
app.kubernetes.io/component: che-configmap
annotations:
che.eclipse.org/mount-as: file
che.eclipse.org/mount-path: /data
data:
ca.crt: <data content here>This results in a file named ca.crt being mounted at the /data path of Che container.
| To make the changes in a Che container visible, recreate the object entirely. |
Mounting a Secret or a ConfigMap as an environment variable into a Che container
-
A running instance of Eclipse Che.
-
Create a new Kubernetes or OpenShift Secret or a ConfigMap in the Kubernetes or OpenShift namespace where a Che is deployed. The labels of the object that is about to be created must match the set of labels:
-
app.kubernetes.io/part-of: che.eclipse.org -
app.kubernetes.io/component: <DEPLOYMENT_NAME>-<OBJECT_KIND> -
The
<DEPLOYMENT_NAME>corresponds to the one following deployments:-
keycloak -
devfile-registry -
plugin-registry -
cheand
-
-
<OBJECT_KIND>is either:-
secretor
-
configmap
-
-
apiVersion: v1
kind: Secret
metadata:
name: custom-settings
labels:
app.kubernetes.io/part-of: che.eclipse.org
app.kubernetes.io/component: che-secret
...or
apiVersion: v1
kind: ConfigMap
metadata:
name: custom-settings
labels:
app.kubernetes.io/part-of: che.eclipse.org
app.kubernetes.io/component: che-configmap
...Annotations must indicate that the given object is mounted as a environment variable.
-
Configure the annotation values:
-
che.eclipse.org/mount-as: env- to indicate that a object is mounted as an environment variable -
che.eclipse.org/env-name: <FOO_ENV>- to provide an environment variable name, which is required to mount a object key value
-
apiVersion: v1
kind: Secret
metadata:
name: custom-settings
annotations:
che.eclipse.org/env-name: FOO_ENV
che.eclipse.org/mount-as: env
labels:
...
data:
mykey: myvalueor
apiVersion: v1
kind: ConfigMap
metadata:
name: custom-settings
annotations:
che.eclipse.org/env-name: FOO_ENV
che.eclipse.org/mount-as: env
labels:
...
data:
mykey: myvalueThis results in two environment variables:
-
FOO_ENV -
myvalue
being provisioned into a Che container.
If the object provides more than one data item, the environment variable name must be provided for each of the data keys as follows:
apiVersion: v1
kind: Secret
metadata:
name: custom-settings
annotations:
che.eclipse.org/mount-as: env
che.eclipse.org/mykey_env-name: FOO_ENV
che.eclipse.org/otherkey_env-name: OTHER_ENV
labels:
...
data:
mykey: __<base64 encoded data content here>__
otherkey: __<base64 encoded data content here>__or
apiVersion: v1
kind: ConfigMap
metadata:
name: custom-settings
annotations:
che.eclipse.org/mount-as: env
che.eclipse.org/mykey_env-name: FOO_ENV
che.eclipse.org/otherkey_env-name: OTHER_ENV
labels:
...
data:
mykey: __<data content here>__
otherkey: __<data content here>__This results in two environment variables:
-
FOO_ENV -
OTHER_ENV
being provisioned into a Che container.
The maximum length of annotation names in a Kubernetes object is 63 characters, where 9 characters are reserved for a prefix that ends with /. This acts as a restriction for the maximum length of the key that can be used for the object.
|
| To make the changes in a Che container visible, recreate the object entirely. |