[BUG] Kompose does not mount secrets like compose

[dgarciabriseno]

Expected Behavior

secrets defined in compose.yaml should be mounted in the pods in /run/secrets/<secret>

Actual Behavior

/run/secrets/<secret> is mounted as a directory

Steps To Reproduce

1. Add secrets to compose.yaml

services:
  myservice:
    ...
    secrets:
      - config-ini

secrets:
  config-ini:
    file: secrets/Config.ini

2. kompose convert

3. examine generated pod config file:

The result is:

volumeMounts:
  - mountPath: /run/secrets/config-ini
     name: config-ini

Which appears correct at a glance, but when running, I get the error that config-ini is a directory.

Kompose Version

1.31.2 (HEAD)

Docker-Compose file

No response

Anything else?

I was able to fix the pod file by adding subPath:

volumeMounts:
  - mountPath: /run/secrets/config-ini
    subPath: config-ini
    name: config-ini

With subPath, it gets mounted as a file instead of a directory.

I don't know k8 very well, I would guess it's mounted as a directory because secrets can hold more than one key-value pair. In that case it wouldn't necessarily make sense to put all the key-value pairs into one file, especially if each key should be its own file.

But with docker compose, secrets are only one key->value, so that behavior should be translated.

[AhmedGrati]

@dgarciabriseno with the following docker-compose.yml I couldn't reproduce the issue:

version: '3.8'
services:
  mongodb:
    image: mongo:latest
    restart: always
    expose:
      - 27017
    secrets:
    - config-ini

secrets:
  config-ini:
    file: secrets/Config.ini

The created secret and deployment are created as expected without any problem. Apart from that if you need to use Subpath you can use the label kompose.volume.subpath.
You can provide us with your docker-compose file for further help.

[dgarciabriseno]

Sorry I was unresponsive, I hadn't worked on getting my compose project into kubernetes in a while. It looks like you guys may have found the issue since there's an open PR.

Here's an actual kubernetes deployment that shows the issue:

deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    kompose.cmd: kompose convert -f ../compose.prod.yaml
    kompose.version: 1.31.2 (HEAD)
  creationTimestamp: null
  labels:
    io.kompose.service: database
  name: database
spec:
  replicas: 1
  selector:
    matchLabels:
      io.kompose.service: database
  strategy: {}
  template:
    metadata:
      annotations:
        kompose.cmd: kompose convert -f ../compose.prod.yaml
        kompose.version: 1.31.2 (HEAD)
      creationTimestamp: null
      labels:
        io.kompose.network/project-default: "true"
        io.kompose.service: database
    spec:
      containers:
        - env:
            - name: MARIADB_ROOT_PASSWORD_FILE
              value: /run/secrets/mariadb-password
          image: mariadb:11
          livenessProbe:
            exec:
              command:
                - bash
                - /usr/local/bin/healthcheck.sh
                - --connect
            failureThreshold: 3
            periodSeconds: 5
            timeoutSeconds: 5
          name: database
          resources: {}
          volumeMounts:
            - mountPath: /run/secrets/mariadb-password
              name: mariadb-password
      restartPolicy: Always
      volumes:
        - name: mariadb-password
          secret:
            items:
              - key: mariadb-password
                path: mariadb-password
            secretName: mariadb-password
status: {}

And password secret:

apiVersion: v1
data:
  mariadb-password: Zm9yLWtvbXBvc2UtdGVzdGluZwo=
kind: Secret
metadata:
  creationTimestamp: null
  labels:
    io.kompose.service: mariadb-password
  name: mariadb-password
type: Opaque

Put these in a folder and run:

$ kubectl apply -f .
deployment.apps/database created
secret/mariadb-password created

And I get this result:

$ kubectl get pod
NAME                       READY   STATUS             RESTARTS      AGE
database-9cd769646-52gd4   0/1     CrashLoopBackOff   2 (16s ago)   32s
$ kubectl logs database-9cd769646-52gd4
2024-02-09 19:56:49+00:00 [Note] [Entrypoint]: Entrypoint script for MariaDB Server 1:11.2.2+maria~ubu2204 started.

Kind of weird that the error doesn't show up saying I'm missing the environment variable for the password.

But then if I edit volume mounts to include the subPath:

          volumeMounts:
            - mountPath: /run/secrets/mariadb-password
              subPath: mariadb-password
              name: mariadb-password

And reapply with kubectl apply -f .

Then all is good.

$ kubectl get pod
NAME                        READY   STATUS    RESTARTS   AGE
database-5955d99cb4-mpscc   1/1     Running   0          27s

[sosan]

updated fix to contemplate mays in secrets:

version: "3.9"
services:
  database:
    image: mariadb:11
    deploy:
      replicas: 1
    environment:
      MARIADB_ROOT_PASSWORD_FILE: /run/secrets/MARIADB_PASSWORD
    secrets:
      - MARIADB_PASSWORD
secrets:
  MARIADB_PASSWORD:
    file: "./mariadb-password.txt"