I have the following test pod:
apiVersion: v1
kind: Pod
metadata:
name: volume-debugger
spec:
volumes:
- name: secretVolume
secret:
secretName: ssh-keys-iaas
items:
- key: id_rsa
path: id_rsa
containers:
- name: nginx
image: nginx
volumeMounts:
- name: secretVolume
mountPath: "/tmp/rofl/"
readOnly: true
And I have the following secret:
kubectl create secret generic ssh-keys-iaas --from-file=id_rsa=/some/file
When I attach to the pod:
kubectl exec --stdin --tty volume-debugger -- /bin/bash
I can see that /tmp/rofl/id_rsa contains the correct value. However, when I update the secret:
kubectl delete secret ssh-keys-iaas
kubectl create secret generic ssh-keys-iaas --from-file=id_rsa=/some/otherfile
My attached shell does not show any updated value, nor does my code inside the container. So it seems like kubernetes does not automatically update my pod.
According to the docs, "A container using a Secret as a subPath volume mount does not receive automated Secret updates.". However, I do not use subPath, and therefore I should receive updates, shouldn't I?
Do I have to patch the secret instead of delete+create? Or what is going wrong? How can I have my pod receive an updated value whenever someone updates the secret in the cluster?
As the doc says, the secret should be updated, not recreated.
When a volume contains data from a Secret, and that Secret is updated, Kubernetes tracks this and updates the data in the volume, using an eventually-consistent approach.
Note: A container using a Secret as a subPath volume mount does not receive automated Secret updates.
It can be done via kubectl edit secret ssh-keys-iaas or
kubectl patch secret ssh-keys-iaas --type='json' -p='[{"op" : "replace" ,"path" : "/data/KEY" ,"value" : "VALUE"}]'