Skip to content

Support multiple volume items in the same directory using subPath #301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
guicassolato wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Support multiple volume items in the same directory using subPath #301

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7cfaf3a
volume mount subpath to support multiple items in the same folder and…
guicassolato Mar 30, 2026
d7a1160
treat mountPath as directory when number of items is >1
guicassolato Mar 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 32 additions & 4 deletions pkg/reconcilers/deployment.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,10 +92,38 @@ func AuthorinoDeployment(authorino *api.Authorino) *k8sapps.Deployment {
},
})

volumeMounts = append(volumeMounts, k8score.VolumeMount{
Name: volume.Name,
MountPath: volume.MountPath,
})
if len(volume.Items) == 0 {
volumeMounts = append(volumeMounts, k8score.VolumeMount{
Name: volume.Name,
MountPath: volume.MountPath,
})
continue
}

for _, item := range volume.Items {
path := item.Path
if path == "" {
path = item.Key
}
Comment on lines +104 to +107

@coderabbitai coderabbitai Bot Mar 30, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Guard against empty path when both item.Path and item.Key are unset.

If both fields are empty strings, path remains empty, resulting in an empty SubPath (which mounts the entire volume instead of a specific file) and a malformed mountPath ending with just /. Consider skipping items with no resolvable path or logging a warning.

🛡️ Proposed defensive guard 
 for _, item := range volume.Items {
     path := item.Path
     if path == "" {
         path = item.Key
     }
+    if path == "" {
+        // Skip items with no resolvable path to avoid malformed mounts
+        continue
+    }

     mountPath := volume.MountPath
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
path := item.Path
if path == "" {
path = item.Key
}
path := item.Path
if path == "" {
path = item.Key
}
if path == "" {
// Skip items with no resolvable path to avoid malformed mounts
continue
}
mountPath := volume.MountPath
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@pkg/reconcilers/deployment.go` around lines 104 - 107, Guard against an empty
mount path by checking if both item.Path and item.Key are empty before using
them: after computing path := item.Path; if path == "" { path = item.Key } add a
conditional that if path == "" then log a warning (including item identifier)
and continue/skip this item so you never set VolumeMount.SubPath or compute
mountPath with an empty string; update any code that builds mountPath to assume
path is non-empty (or trim trailing slashes) to avoid producing a mountPath that
ends with "/".


mountPath := volume.MountPath
// For multiple items, always treat mountPath as a directory.
// For a single item, check if mountPath already includes the full path.
if len(volume.Items) > 1 || !strings.HasSuffix(mountPath, "/"+path) {
// mountPath is a directory, append the path
if !strings.HasSuffix(mountPath, "/") {
mountPath = mountPath + "/"
}
mountPath = mountPath + path
}

volumeMount := k8score.VolumeMount{
Name: volume.Name,
MountPath: mountPath,
SubPath: path,
}
Comment on lines +120 to +124

@coderabbitai coderabbitai Bot Mar 30, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

In Kubernetes, do subPath volume mounts backed by Secret, ConfigMap, or projected volumes receive live updates when the source object changes, or is a pod restart required?

💡 Result:

In Kubernetes, subPath volume mounts backed by Secret, ConfigMap, or projected volumes do not receive live updates when the source object changes. A pod restart is required to pick up the changes.

Citations:

SubPath mounts prevent automatic Secret/ConfigMap updates.

Using subPath with Secret or ConfigMap volumes disables live refresh behaviour. When the source Secret or ConfigMap is updated, pods with subPath mounts will not receive the changes until restarted. Either keep whole-volume mounts where feasible, or implement an explicit pod rollout strategy on source updates.

Code location

Lines 119–123 in pkg/reconcilers/deployment.go

			volumeMount := k8score.VolumeMount{
				Name:      volume.Name,
				MountPath: mountPath,
				SubPath:   path,
			}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@pkg/reconcilers/deployment.go` around lines 119 - 123, The current
VolumeMount creation sets SubPath (volumeMount with fields Name, MountPath,
SubPath) which prevents live updates for Secret/ConfigMap volumes; either remove
SubPath to mount the whole volume or implement an explicit rollout on
secret/configmap updates: prefer removing SubPath in the volumeMount
construction when the backing Volume is a Secret or ConfigMap, and if
partial-path mounting is required, compute a checksum of the referenced
Secret/ConfigMap and add it as an annotation on the Deployment/PodTemplate (so
the reconciler updates podTemplate.annotations and triggers a rollout) — update
the volumeMount creation site (volumeMount) and the deployment reconcile logic
that builds the pod template to apply one of these fixes.

volumeMounts = append(volumeMounts, volumeMount)
}
}

// mount tls cert volume for the ext_authz listener if enable
Expand Down
Loading
Loading