Open anirudhprasad-sap opened 7 months ago
An evaluation was done to store service secrets as volume mounts to support credential rotation. But we have the following issues-
Because of these drawbacks, it doesn't make sense to support volume mounts for secrets right now. We will revisit the topic once the above points are resolved.
An evaluation was done to store service secrets as volume mounts to support credential rotation. But we have the following issues-
- CAP doesn't support credential rotation - #/cap/issues/issues/15618. The recommendation is to restart pods but this can be done now also.
- Approuter uses xsenv api's that don't have the disable cache options. This would mean adoption in app router component as well to support credential rotation.
Because of these drawbacks, it doesn't make sense to support volume mounts for secrets right now. We will revisit the topic once the above points are resolved.
Even though the above issue still exists, we decided to merge it. This feature can be enabled by setting annotation sme.sap.com/use-volume-mount: "true"
on the CAPApplicationVersion.
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
98.8% Coverage on New Code
0.0% Duplication on New Code
Volume mount service secrets on workloads instead of using VCAP. Enabled by setting annotation
sme.sap.com/use-volume-mount: "true"
on the CAPApplicationVersion resource.Test controller image - ghcr.io/anirudhprasad-sap/cap-operator/controller:vol-mnt-2