cap-operator icon indicating copy to clipboard operation
cap-operator copied to clipboard
verified publisher icon SAP

[Feat] Volume mount service secrets on workloads

Open anirudhprasad-sap opened this issue 1 year ago • 5 comments

Volume mount service secrets on workloads instead of using VCAP. Enabled by setting annotation sme.sap.com/use-credential-volume-mount: "true" on the CAPApplicationVersion resource.

Test controller image - ~ghcr.io/anirudhprasad-sap/cap-operator/controller:vol-mnt-3~ ghcr.io/anirudhprasad-sap/cap-operator/controller:vol-mnt-4

anirudhprasad-sap avatar Mar 08 '24 13:03 anirudhprasad-sap

An evaluation was done to store service secrets as volume mounts to support credential rotation. But we have the following issues-

  1. CAP doesn't support credential rotation - #/cap/issues/issues/15618. The recommendation is to restart pods but this can be done now also.
  2. Approuter uses xsenv api's that don't have the disable cache options. This would mean adoption in app router component as well to support credential rotation.

Because of these drawbacks, it doesn't make sense to support volume mounts for secrets right now. We will revisit the topic once the above points are resolved.

anirudhprasad-sap avatar Mar 21 '24 15:03 anirudhprasad-sap

An evaluation was done to store service secrets as volume mounts to support credential rotation. But we have the following issues-

  1. CAP doesn't support credential rotation - #/cap/issues/issues/15618. The recommendation is to restart pods but this can be done now also.
  2. Approuter uses xsenv api's that don't have the disable cache options. This would mean adoption in app router component as well to support credential rotation.

Because of these drawbacks, it doesn't make sense to support volume mounts for secrets right now. We will revisit the topic once the above points are resolved.

Even though the above issue still exists, we decided to merge it. This feature can be enabled by setting annotation sme.sap.com/use-volume-mount: "true" on the CAPApplicationVersion.

anirudhprasad-sap avatar Oct 15 '24 12:10 anirudhprasad-sap

can we rename the annotation to say one of : sme.sap.com/services-use-volume-mount sme.sap.com/use-credential-volume-mount sme.sap.com/use-services-volume-mount

the existing one is a bit too generic IMO.

I updated the annotation to sme.sap.com/use-credential-volume-mount - https://github.com/SAP/cap-operator/pull/72/commits/6a3e6a89927827d4d353b1fa797218abe6099d32

anirudhprasad-sap avatar Oct 17 '24 08:10 anirudhprasad-sap

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
98.8% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

sonarqubecloud[bot] avatar Oct 24 '24 14:10 sonarqubecloud[bot]

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
98.8% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud[bot] avatar Dec 17 '24 09:12 sonarqubecloud[bot]