Skip to content

[Feat] Volume mount service secrets on workloads#72

Open
anirudhprasad-sap wants to merge 19 commits intomainfrom
volumeMount
Open

[Feat] Volume mount service secrets on workloads#72
anirudhprasad-sap wants to merge 19 commits intomainfrom
volumeMount

Conversation

@anirudhprasad-sap
Copy link
Contributor

@anirudhprasad-sap anirudhprasad-sap commented Mar 8, 2024
edited
Loading

Volume mount service secrets on workloads instead of using VCAP. Enabled by setting annotation sme.sap.com/use-credential-volume-mount: "true" on the CAPApplicationVersion resource.

Test controller image - ghcr.io/anirudhprasad-sap/cap-operator/controller:vol-mnt-3 ghcr.io/anirudhprasad-sap/cap-operator/controller:vol-mnt-4

@anirudhprasad-sap
Copy link
Contributor Author

anirudhprasad-sap commented Mar 21, 2024
edited by Pavan-SAP
Loading

An evaluation was done to store service secrets as volume mounts to support credential rotation. But we have the following issues-

  1. CAP doesn't support credential rotation - #/cap/issues/issues/15618. The recommendation is to restart pods but this can be done now also.
  2. Approuter uses xsenv api's that don't have the disable cache options. This would mean adoption in app router component as well to support credential rotation.

Because of these drawbacks, it doesn't make sense to support volume mounts for secrets right now. We will revisit the topic once the above points are resolved.

@Pavan-SAP Pavan-SAP deleted the volumeMount branch May 21, 2024 15:49
@Pavan-SAP Pavan-SAP restored the volumeMount branch October 2, 2024 12:18
@Pavan-SAP Pavan-SAP reopened this Oct 2, 2024
@anirudhprasad-sap anirudhprasad-sap changed the title Volume mount Support [Feat] Volume mount service secrets on workloads Oct 15, 2024
@anirudhprasad-sap
Copy link
Contributor Author

anirudhprasad-sap commented Oct 15, 2024

An evaluation was done to store service secrets as volume mounts to support credential rotation. But we have the following issues-

  1. CAP doesn't support credential rotation - #/cap/issues/issues/15618. The recommendation is to restart pods but this can be done now also.
  2. Approuter uses xsenv api's that don't have the disable cache options. This would mean adoption in app router component as well to support credential rotation.

Because of these drawbacks, it doesn't make sense to support volume mounts for secrets right now. We will revisit the topic once the above points are resolved.

Even though the above issue still exists, we decided to merge it. This feature can be enabled by setting annotation sme.sap.com/use-volume-mount: "true" on the CAPApplicationVersion.

@SAP SAP deleted a comment from sonarqubecloud bot Oct 15, 2024
@anirudhprasad-sap anirudhprasad-sap marked this pull request as ready for review October 15, 2024 12:33
Pavan-SAP

This comment was marked as resolved.

Sign in to view

@anirudhprasad-sap
documentation updated
6a3e6a8 
volume mount annotation changed
@anirudhprasad-sap
Copy link
Contributor Author

anirudhprasad-sap commented Oct 17, 2024

can we rename the annotation to say one of : sme.sap.com/services-use-volume-mount sme.sap.com/use-credential-volume-mount sme.sap.com/use-services-volume-mount

the existing one is a bit too generic IMO.

I updated the annotation to sme.sap.com/use-credential-volume-mount - 6a3e6a8

@sonarqubecloud
Copy link

sonarqubecloud bot commented Oct 24, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
98.8% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 17, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
98.8% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Pavan-SAP Pavan-SAP Pavan-SAP left review comments

@skrishnan-sap skrishnan-sap Awaiting requested review from skrishnan-sap

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@anirudhprasad-sap @Pavan-SAP