uri
and a mount path
. The uri
is prefixed with the provider scheme followed by the bucket/storage name (e.g., s3://my-s3-bucket). The mount path
must be a unique absolute path (e.g., /s3-files). This path will be added to the container’s file system and accessible by the running application.
During the set up of a volume using the console, the uri
name can be entered manually or an existing Cloud Account can assist looking up the name.
The identity of the workload is used to authenticate to the provider’s cloud storage API, or used for authorization to access the Control Plane secret. A Cloud Account for each cloud storage provider, with the necessary access/roles, must exist and be associated with
the workload identity.
Volumes can be shared between containers of the same workload. For example if two containers in a workload are each configured with the volume uri: 'scratch://volume1', path: '/my/shared/data'
then changes to files in /my/shared/data
will be visible to both containers.
Volume Provider | URI Scheme | Mode | Example |
---|---|---|---|
CPLN Secret | cpln://secret | read-only | cpln://secret/secretname |
CPLN Volume Set | cpln://volumeset | read-write | cpln://volumeset/my-volume-set |
AWS S3 | s3:// | read-only | s3://my-s3-bucket |
Google Cloud Storage | gs:// | read-only | gs://my-google-bucket |
Azure Blob Storage | azureblob:// | read-only | azureblob://my-azure-account/container |
Azure Files | azurefs:// | read-write | azurefs://my-azure-account/my-files |
Scratch (emptyDir) | scratch:// | read-write, ephemeral | scratch://volume1 |
.payload
property is not required.Base64 decode at Runtime
checkbox when configuring the secret.payload
(e.g., /path/payload).___cpln___.secret
.___cpln___.secret
file.___cpln___.secret
. The contents of this file will be the JSON formatted output of the secret.Create a new AWS role with existing policies
and choose AmazonS3ReadOnlyAccess
.Create a new GCP service account
.Select bucket name
.Storage Legacy Bucket Reader
and Storage Legacy Object Reader
.Storage Admin
role.Select storage account
.Storage Blob Data Reader
.All Outbound Requests Allowed
or the hostnames listed below for the corresponding object store must be added to the Outbound Hostname Allow List
.
/dev
/dev/log
/tmp
/var
/var/log
cpln://secret/SECRET_NAME
) can be entered manually or Control-S
can be pressed to view and select the available Secrets.
The Path must be a unique absolute path and, optionally, a file name (e.g., /secret/my-secret.txt) depending on the secret type. This path will be added to the container’s file system and will be accessible by the running application.