Search code examples
kuberneteskubernetes-secretsstatefulset

How to mount a secret to kubernetes StatefulSet

So, looking at the Kubernetes API documentation: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#statefulsetspec-v1-apps it appears that I can indeed have a volume because it uses a podspec and the podspec does have a volume field, so I could list the secret and then mount it like in a deployment, or any other pod.

The problem is that kubernetes seems to think that volumes are not actually in the podspec for StatefulSet? Is this right? How do I mount in a secret to my statefulset if this is true.

error: error validating "mysql-stateful-set.yaml": error validating data: ValidationError(StatefulSet.spec.template.spec.containers[0]): unknown field "volumes" in io.k8s.api.core.v1.Container; if you choose to ignore these errors, turn validation off with --validate=false

StatefulSet:

apiVersion: v1
kind: Service
metadata:
  name: mysql
  labels:
    app: mysql
spec:
  ports:
  - port: 3306
    name: database
  selector:
    app: mysql
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: mysql
spec:
  selector:
    matchLabels:
      app: mysql # has to match .spec.template.metadata.labels
  serviceName: "mysql"
  replicas: 1
  template:
    metadata:
      labels:
        app: mysql
    spec:
      terminationGracePeriodSeconds: 60
      containers:
      - name: mysql
        image: mysql
        ports:
        - containerPort: 3306
          name: database
        volumeMounts:
        - name: data
          mountPath: /var/lib/mysql
        - name: mysql
          mountPath: /run/secrets/mysql
        env:
        - name: MYSQL_ROOT_PASSWORD_FILE
          value: /run/secrets/mysql/root-pass
        volumes:
          - name: mysql
            secret:
              secretName: mysql
              items:
                - key: root-pass
                  path: root-pass
                  mode: 511
  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: do-block-storage
      resources:
        requests:
          storage: 10Gi```
Solution

  • The volume field should come inside template spec and not inside container (as done in your template). Refer this for the exact structure (https://godoc.org/k8s.io/api/apps/v1#StatefulSetSpec), go to PodTemplateSpec and you will find volumes field.

    Below template should work for you:

    apiVersion: v1
kind: Service
metadata:
  name: mysql
  labels:
    app: mysql
spec:
  ports:
  - port: 3306
    name: database
  selector:
    app: mysql
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: mysql
spec:
  selector:
    matchLabels:
      app: mysql # has to match .spec.template.metadata.labels
  serviceName: "mysql"
  replicas: 1
  template:
    metadata:
      labels:
        app: mysql
    spec:
      terminationGracePeriodSeconds: 60
      containers:
      - name: mysql
        image: mysql
        ports:
        - containerPort: 3306
          name: database
        volumeMounts:
        - name: data
          mountPath: /var/lib/mysql
        - name: mysql
          mountPath: /run/secrets/mysql
        env:
        - name: MYSQL_ROOT_PASSWORD_FILE
          value: /run/secrets/mysql/root-pass
      volumes:
       - name: mysql
         secret:
           secretName: mysql
           items:
            - key: root-pass
              path: root-pass
               mode: 511
  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: do-block-storage
      resources:
        requests:
          storage: 10Gi