Volumes
Overview
Cloud Object and File storage, ephemeral scratch storage and Secrets can be mounted to directories of containers at runtime by adding one or more volumes.
A volume consists of a uri
and a mount path
. The uri
is prefixed with the provider scheme followed by the bucket/storage name (e.g., s3://my-s3-bucket). The mount path
must be a unique absolute path (e.g., /s3-files). This path will be added to the container’s file system and accessible by the running application.
During the set up of a volume using the console, the uri
name can be entered manually or an existing Cloud Account can assist looking up the name.
The identity of the workload is used to authenticate to the provider’s cloud storage API, or used for authorization to access the Control Plane secret. A Cloud Account for each cloud storage provider, with the necessary access/roles, must exist and be associated with the workload identity.
Volumes can be shared between containers of the same workload. For example if two containers in a workload are each configured with the volume uri: 'scratch://volume1', path: '/my/shared/data'
then changes to files in /my/shared/data
will be visible to both containers.
A maximum of 15 volumes can be added.
Volume Providers
Volume Provider | URI Scheme | Mode | Example |
---|---|---|---|
CPLN Secret | cpln://secret | read-only | cpln://secret/secretname |
CPLN Volume Set | cpln://volumeset | read-write | cpln://volumeset/my-volume-set |
AWS S3 | s3:// | read-only | s3://my-s3-bucket |
Google Cloud Storage | gs:// | read-only | gs://my-google-bucket |
Azure Blob Storage | azureblob:// | read-only | azureblob://my-azure-account/container |
Azure Files | azurefs:// | read-write | azurefs://my-azure-account/my-files |
Scratch (emptyDir) | scratch:// | read-write, ephemeral | scratch://volume1 |
Secret Types
The secret type will dictate how the secret will be mounted to the file system.
-
- The
.payload
property is not required. - If the payload is base-64 encoded, the secret can be decoded at runtime by selecting the
Base64 decode at Runtime
checkbox when configuring the secret. - The configured path must contain at least one subpath (e.g., /path/subpath). The last path (or file name) will be mounted as a file and contain the payload. If a subpath is not given, the payload of the secret will be mounted as a file named
payload
(e.g., /path/payload).
- The
-
Azure, Docker, and GCP Secrets:
- The secret will be mounted to the specified path as the file name
___cpln___.secret
. - The configured path must contain at least one subpath (e.g., /path/subpath). The last path will be mounted as a directory and contain the
___cpln___.secret
file.
- The secret will be mounted to the specified path as the file name
-
All other Secret Types:
- If the root secret is selected, the specified path will be mounted as a directory. The contents of the directory will contain files named as the key/property of the secret. The contents of each file will contain the value of the respective key.
- If a key/property of a secret is selected, the secret will be mounted to the specified path as a file. The contents will include the value of the key/property.
- The directory will include a file named
___cpln___.secret
. The contents of this file will be the JSON formatted output of the secret.
Identity Configuration
A Workload that is configured with a Volume that references a Secret must be configured with an Identity bound to a policy having the reveal permission.
Identity Configuration
To allow a workload identity the ability to authenticate to an object store, a cloud access rule must be created for each provider. A Cloud Account for each provider must exists in order to create the cloud access rule.
The following list contains the minimum roles/scopes that must be added to a cloud access rule:
-
S3 (using an AWS Cloud Account)
- Select
Create a new AWS role with existing policies
and chooseAmazonS3ReadOnlyAccess
.
- Select
-
Google Cloud Storage (using a Google Cloud Account)
- Select
Create a new GCP service account
. - Resource: Storage -> Global -> Bucket ->
Select bucket name
. - Role:
Storage Legacy Bucket Reader
andStorage Legacy Object Reader
. - Verify that the Cloud Account for GCP is configured correctly. In particular, the Control Plane GCP service account requires the
Storage Admin
role.
- Select
-
Azure Blob Storage and Files (using an Azure Cloud Account)
- Scope: Storage -> Region -> Storage Accounts ->
Select storage account
. - Role (for Azure Files) : Reader and Data Access.
- Role (for Azure Blobs) :
Storage Blob Data Reader
.
- Scope: Storage -> Region -> Storage Accounts ->
Firewall Configuration
To allow a Workload access to the object stores, the outbound requests of its external firewall must either be set to All Outbound Requests Allowed
or the hostnames listed below for the corresponding object store must be added to the Outbound Hostname Allow List
.
Limitations
- Volumes are read-only, except for Azure Files.
- The following Path names are reserved:
/dev
/dev/log
/tmp
/var
/var/log
- Authentication to a provider is only facilitated through the workload identity. The use of an AWS or Azure key to mount a bucket/container within a container will not work.
- Properties of a mounted object store, such as cache policies and timeouts, cannot be configured by the user. Control Plane has optimized those values for each cloud provider.
Secret Volume Provider
A Secret can be mapped as a read-only file by using a Volume.
During the configuration of a Volume using the console, the Secret reference (e.g., cpln://secret/SECRET_NAME
) can be entered manually or Control-S
can be pressed to view and select the available Secrets.
The Path must be a unique absolute path and, optionally, a file name (e.g., /secret/my-secret.txt) depending on the secret type. This path will be added to the container’s file system and will be accessible by the running application.
A maximum of 15 volumes can be added.