Skip to content

docs: Add RFC for mounting ConfigMaps and Secrets into instances#128

Open
scotwells wants to merge 5 commits into
mainfrom
docs/configmap-secret-mounts-rfc
Open

docs: Add RFC for mounting ConfigMaps and Secrets into instances#128
scotwells wants to merge 5 commits into
mainfrom
docs/configmap-secret-mounts-rfc

Conversation

@scotwells
Copy link
Copy Markdown
Contributor

@scotwells scotwells commented May 31, 2026
edited
Loading

Summary

Today a compute Workload can only set literal environment variables — users can't point an instance at a ConfigMap or Secret they manage, so app config, API keys, and TLS material end up baked into images or pasted as plaintext. This RFC proposes letting users reference ConfigMaps and Secrets from a Workload template and have that data delivered securely to their instances in every POP cell the workload runs in, without the user ever knowing federation exists.

It splits the work along what's actually achievable:

  • Env injection (ConfigMap/Secret keys as environment variables) — the common twelve-factor case, deliverable on the Unikraft provider with no upstream vendor dependency, so it ships first.
  • File mounts (ConfigMap/Secret rendered as files at a path) — needed for config files and certs, but blocked on an Unikraft Cloud file-injection capability that doesn't exist yet. The user-facing API is identical, so there's no rework for users when it lands.

Secret values never enter the Workload or Instance spec; they travel only as Secret objects, resolved in the management plane and delivered to the edge. This RFC also establishes the foundational referenced-data delivery path (resolver, scoped project-plane client, scheduling gate, provider gate honoring) that image pull credentials will later consume rather than rebuild.

The document is the deliverable here — it records the design, the two architecture decisions made (management-plane companion delivery; no auto-roll plus an explicit restart path), the alternatives weighed, and what two rounds of adversarial review changed.

Review plan

  • Validate the cross-plane delivery model (companions + PropagationPolicy) against federation behavior
  • Confirm the Unikraft Cloud file-injection gap and the proposed upstream ask
  • Sanity-check the security boundary (secret bytes never in user-visible specs; edge exposure)
  • Review the open questions, especially file-mount UX and scoped-client IAM granularity

🤖 Generated with Claude Code

scotwells and others added 5 commits May 31, 2026 11:35
@scotwells @claude
docs: Add RFC for mounting ConfigMaps and Secrets into instances
7e32da1 
Design proposal for letting compute Workloads reference ConfigMaps and
Secrets so their data reaches instances across federated POP cells. Covers
env injection (buildable on the Unikraft provider today) and file mounts
(blocked on an upstream Unikraft Cloud capability), and introduces the
foundational referenced-data delivery path that image pull credentials
will later consume.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@scotwells @claude
docs: Condense ConfigMap/Secret RFC and add end-to-end sequence diagram
5b3ae33 
Trim the proposal substantially and add a Mermaid sequence diagram showing
the full propagation flow from a user creating a Workload through to the
compute provider deploying the instance with config/secret data applied.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@scotwells @claude
docs: Refocus ConfigMap/Secret RFC on product and design
f17e2de 
Remove file/line and code-path references throughout; describe components by
role and the user-facing API contract instead, keeping the proposal at a
product and architecture altitude.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@scotwells @claude
docs: Correct consumption model; collapse RFC to the delivery problem
51621c8 
The Unikraft runtime's kubelet integration consumes Pod specs with native
ConfigMap/Secret references as env vars and volume mounts, so file mounts are
not vendor-blocked. Remove the env-now/files-later phasing and upstream
dependency, and reframe the proposal around its real scope: delivering the
referenced data across planes to the cell.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@scotwells @claude
docs: Call out the platform-capability direction explicitly
8ce9027 
Add a Platform direction section: build delivery behind a capability-shaped
seam in compute now, keep it separable from consumption, and promote it to a
platform-owned, policy-driven capability when a second consumer appears.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@scotwells scotwells marked this pull request as ready for review May 31, 2026 17:46
@scotwells scotwells requested review from a team and savme May 31, 2026 17:46
ecv
ecv approved these changes May 31, 2026
View reviewed changes
Copy link
Copy Markdown

@ecv ecv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh so friday night is not for claude but sunday is for claude. i see how it is

mattdjenkinson
mattdjenkinson approved these changes May 31, 2026
View reviewed changes
Comment thread docs/compute/development/rfcs/configmap-secret-mounts.md
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ecv ecv ecv approved these changes

@savme savme savme approved these changes

@mattdjenkinson mattdjenkinson mattdjenkinson approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@scotwells @ecv @savme @mattdjenkinson