feat(ws): add spec.podTemplate.volumes.secrets[] to Workspace

workspaces/controller/api/v1beta1/workspace_types.go

@@ -98,6 +98,14 @@ type WorkspacePodVolumes struct {
 	// +listType:="map"
 	// +listMapKey:="mountPath"
 	Data []PodVolumeMount `json:"data,omitempty"`
+
+	// secrets to mount
+	//  - these secrets must already exist in the Namespace
+	//  - secrets are mounted as folders with the secret keys as files
+	// +kubebuilder:validation:Optional
+	// +listType:="map"
+	// +listMapKey:="mountPath"
+	Secrets []PodSecretMount `json:"secrets,omitempty"`
 }
 
 type PodVolumeMount struct {
@@ -121,6 +129,33 @@ type PodVolumeMount struct {
 	ReadOnly *bool `json:"readOnly,omitempty"`
 }
 
+type PodSecretMount struct {
+	// the name of the Secret to mount
+	// +kubebuilder:validation:MinLength:=2
+	// +kubebuilder:validation:MaxLength:=63
+	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+	// +kubebuilder:example="my-secret"
+	SecretName string `json:"secretName"`
+
+	// the mount path for the Secret
+	// +kubebuilder:validation:MinLength:=2
+	// +kubebuilder:validation:MaxLength:=4096
+	// +kubebuilder:validation:Pattern:=^/[^/].*$
+	// +kubebuilder:example="/secrets/my-secret"
+	MountPath string `json:"mountPath"`
+
+	// default mode bits used to set permissions on files in the Secret
+	//  - must be a decimal value between 0 and 511, or an octal value between 0000 and 0777
+	//  - for example, 420 is equivalent to 0644, and 511 is equivalent to 0777
+	//  - YAML accepts both octal and decimal values, JSON requires decimal
+	//  - Defaults to 420 (octal: 0644) if not specified.
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Minimum:=0
+	// +kubebuilder:validation:Maximum:=511
+	// +kubebuilder:default=420
+	DefaultMode int32 `json:"defaultMode,omitempty"`
+}
+
 type WorkspacePodOptions struct {
 	// the id of an imageConfig option
 	//  - options are defined in WorkspaceKind under

workspaces/controller/config/crd/bases/kubeflow.org_workspaces.yaml

@@ -156,6 +156,47 @@ spec:
                         minLength: 2
                         pattern: ^[a-z0-9][-a-z0-9]*[a-z0-9]$
                         type: string
+                      secrets:
+                        description: |-
+                          secrets to mount
+                           - these secrets must already exist in the Namespace
+                           - secrets are mounted as folders with the secret keys as files
+                        items:
+                          properties:
+                            defaultMode:
+                              default: 420
+                              description: |-
+                                default mode bits used to set permissions on files in the Secret
+                                 - must be a decimal value between 0 and 511, or an octal value between 0000 and 0777
+                                 - for example, 420 is equivalent to 0644, and 511 is equivalent to 0777
+                                 - YAML accepts both octal and decimal values, JSON requires decimal
+                                 - Defaults to 420 (octal: 0644) if not specified.
+                              format: int32
+                              maximum: 511
+                              minimum: 0
+                              type: integer
+                            mountPath:
+                              description: the mount path for the Secret
+                              example: /secrets/my-secret
+                              maxLength: 4096
+                              minLength: 2
+                              pattern: ^/[^/].*$
+                              type: string
+                            secretName:
+                              description: the name of the Secret to mount
+                              example: my-secret
+                              maxLength: 63
+                              minLength: 2
+                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                              type: string
+                          required:
+                          - mountPath
+                          - secretName
+                          type: object
+                        type: array
+                        x-kubernetes-list-map-keys:
+                        - mountPath
+                        x-kubernetes-list-type: map
                     type: object
                 required:
                 - options

workspaces/controller/config/samples/common/kustomization.yaml

@@ -1,4 +1,5 @@
 resources:
 - workspace_data_pvc.yaml
 - workspace_home_pvc.yaml
+- workspace_secret.yaml
 - workspace_service_account.yaml

workspaces/controller/config/samples/common/workspace_secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: workspace-secret
+type: Opaque
+data:
+  key1: dmFsdWUx
+  key2: dmFsdWUy

workspaces/controller/config/samples/jupyterlab_v1beta1_workspace.yaml

@@ -54,6 +54,15 @@ spec:
           mountPath: "/data/my-data"
           readOnly: false
 
+      ## secrets to mount
+      ##  - the secret must already exist in the Namespace
+      ##  - secrets are mounted as folders with the secret keys as files
+      ##
+      secrets:
+        - secretName: "workspace-secret"
+          mountPath: "/secrets/my-secret"
+          defaultMode: 420 # same as 0644 in octal
+
     ## the selected podTemplate options
     ##  - these are the user-selected options from the Workspace Spawner UI
     ##    which determine the PodSpec of the Workspace Pod