Challenge with the recommendation not to change the collection of files within the binding directory

[baijum]

The application projection has a recommendation like this:

The collection of files within the directory MAY change between container launches. The collection of files within the directory SHOULD NOT change during the lifetime of the container.

This is not practical if the Secret resource provided by the user is used to bind the application. Because a change in the Secret will reflect in the file-system.

To conform to the above recommendation, a copy of the Secret resource should be used for binding. But that will lose the benefit of automatically propagating changes from the Secret to the file system.

I think the spec should find a balance between these two scenarios. We can probably recommend to the Provisioned Service authors not to introduce new attributes and remove any existing attributes from the Secret resource.

[scothis]

I agree, we're not in a position to enforce this recommendation, and the driver is from the provisioned service and not the service binding.

We can probably recommend to the Provisioned Service authors not to introduce new attributes and remove any existing attributes from the Secret resource.

This is a good recommendation. If the service wants to add or remove values from a binding secret, it should create a new secret and expose that on its status.