Re-evaluate naming of secrets

Question

Re-evaluate naming of secrets

Closed this issue 8 years ago · 3 comments

I'm not sure whether secrets should be named after the domain that they belong to or the service that requested them.

For example, a service "admin" exists in different environments (admin.test.foo.com and admin.prod.foo.com). The service admin-external requests the certificates.

This currently generates secrets named admin-test-foo-com-tls and admin-prod-foo-com-tls. This means that a webserver Deployment resource configuration is different between the environments.

Is that sensible? Is it possible to retrieve volume names from a ConfigMap? (i.e. having a ConfigMap per environment that maps these, therefore still having sensible secret names and having resource reusability).

Answer 1 · 2016-09-19T00:43:18.000Z

Last thought before sleeping: The annotations on services also differ between environments, so this is only one bit of the problem.

Answer 2 · 2016-09-19T12:19:47.000Z

Ideally this is solved by #2 because the third-party resource could define an additional field to use for the name of the Secret.

Answer 3 · 2016-09-25T19:30:29.000Z

This needs to be sorted for supporting #21.

For now I will probably do the following (pre 2.0) to keep compatibility:

Continue as is.
Pick the first certificate for naming if multiple certificates are specified.
Support an additional acme/secretName annotation to override.