[Feat] Volume mount service secrets on workloads

[anirudhprasad-sap]

Volume mount service secrets on workloads instead of using VCAP. Enabled by setting annotation sme.sap.com/use-volume-mount: "true" on the CAPApplicationVersion resource.

Test controller image - ghcr.io/anirudhprasad-sap/cap-operator/controller:vol-mnt-2

[anirudhprasad-sap]

An evaluation was done to store service secrets as volume mounts to support credential rotation. But we have the following issues-

1. CAP doesn't support credential rotation - #/cap/issues/issues/15618. The recommendation is to restart pods but this can be done now also.
2. Approuter uses xsenv api's that don't have the disable cache options. This would mean adoption in app router component as well to support credential rotation.

Because of these drawbacks, it doesn't make sense to support volume mounts for secrets right now. We will revisit the topic once the above points are resolved.

[anirudhprasad-sap]

An evaluation was done to store service secrets as volume mounts to support credential rotation. But we have the following issues-

1. CAP doesn't support credential rotation - #/cap/issues/issues/15618. The recommendation is to restart pods but this can be done now also.
2. Approuter uses xsenv api's that don't have the disable cache options. This would mean adoption in app router component as well to support credential rotation.

Because of these drawbacks, it doesn't make sense to support volume mounts for secrets right now. We will revisit the topic once the above points are resolved.

Even though the above issue still exists, we decided to merge it. This feature can be enabled by setting annotation sme.sap.com/use-volume-mount: "true" on the CAPApplicationVersion.

[sonarcloud[bot]]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
98.8% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud