Use our own SecretSource struct with an entries field

config/crds/apm_v1alpha1_apmserver.yaml

@@ -167,6 +167,36 @@ spec:
                 to change the target path of a secret entry key. The secret must exist
                 in the same namespace as the APM resource.
               items:
+                properties:
+                  entries:
+                    description: If unspecified, each key-value pair in the Data field
+                      of the referenced Secret will be projected into the volume as
+                      a file whose name is the key and content is the value. If specified,
+                      the listed keys will be projected into the specified paths,
+                      and unlisted keys will not be present. If a key is specified
+                      which is not present in the Secret, the volume setup will error
+                      unless it is marked optional. Paths must be relative and may
+                      not contain the '..' path or start with '..'.
+                    items:
+                      properties:
+                        key:
+                          description: The key to project.
+                          type: string
+                        path:
+                          description: The relative path of the file to map the key
+                            to. May not be an absolute path. May not contain the path
+                            element '..'. May not start with the string '..'.
+                          type: string
+                      required:
+                      - key
+                      type: object
+                    type: array
+                  secretName:
+                    description: 'Name of the secret in the pod''s namespace to use.
+                      More info: https://kubernetes.io/docs/concepts/storage/volumes#secret'
+                    type: string
+                required:
+                - secretName
                 type: object
               type: array
             version:

config/crds/elasticsearch_v1alpha1_elasticsearch.yaml

@@ -172,6 +172,36 @@ spec:
                 to change the target path of a secret entry key. The secret must exist
                 in the same namespace as the Elasticsearch resource.
               items:
+                properties:
+                  entries:
+                    description: If unspecified, each key-value pair in the Data field
+                      of the referenced Secret will be projected into the volume as
+                      a file whose name is the key and content is the value. If specified,
+                      the listed keys will be projected into the specified paths,
+                      and unlisted keys will not be present. If a key is specified
+                      which is not present in the Secret, the volume setup will error
+                      unless it is marked optional. Paths must be relative and may
+                      not contain the '..' path or start with '..'.
+                    items:
+                      properties:
+                        key:
+                          description: The key to project.
+                          type: string
+                        path:
+                          description: The relative path of the file to map the key
+                            to. May not be an absolute path. May not contain the path
+                            element '..'. May not start with the string '..'.
+                          type: string
+                      required:
+                      - key
+                      type: object
+                    type: array
+                  secretName:
+                    description: 'Name of the secret in the pod''s namespace to use.
+                      More info: https://kubernetes.io/docs/concepts/storage/volumes#secret'
+                    type: string
+                required:
+                - secretName
                 type: object
               type: array
             setVmMaxMapCount:

config/crds/kibana_v1alpha1_kibana.yaml

@@ -164,6 +164,36 @@ spec:
                 to change the target path of a secret entry key. The secret must exist
                 in the same namespace as the Kibana resource.
               items:
+                properties:
+                  entries:
+                    description: If unspecified, each key-value pair in the Data field
+                      of the referenced Secret will be projected into the volume as
+                      a file whose name is the key and content is the value. If specified,
+                      the listed keys will be projected into the specified paths,
+                      and unlisted keys will not be present. If a key is specified
+                      which is not present in the Secret, the volume setup will error
+                      unless it is marked optional. Paths must be relative and may
+                      not contain the '..' path or start with '..'.
+                    items:
+                      properties:
+                        key:
+                          description: The key to project.
+                          type: string
+                        path:
+                          description: The relative path of the file to map the key
+                            to. May not be an absolute path. May not contain the path
+                            element '..'. May not start with the string '..'.
+                          type: string
+                      required:
+                      - key
+                      type: object
+                    type: array
+                  secretName:
+                    description: 'Name of the secret in the pod''s namespace to use.
+                      More info: https://kubernetes.io/docs/concepts/storage/volumes#secret'
+                    type: string
+                required:
+                - secretName
                 type: object
               type: array
             version:

config/samples/apm/apmserver.yaml

@@ -17,6 +17,6 @@ spec:
 #   - secretName: ref-to-secret
 #   - secretName: another-ref-to-secret
 #     # expose only a subset of the secret keys (optional)
-#     items:
+#     entries:
 #     - key: value1
 #       path: newkey # project a key to a specific path (optional)

config/samples/elasticsearch/elasticsearch.yaml

@@ -47,7 +47,7 @@ spec:
   # - secretName: ref-to-secret
   # - secretName: another-ref-to-secret
   #   # expose only a subset of the secret keys (optional)
-  #   items:
+  #   entries:
   #   - key: value1
   #     path: newkey # project a key to a specific path (optional)
   # http:

config/samples/kibana/kibana.yaml

@@ -24,6 +24,6 @@ spec:
 #   - secretName: ref-to-secret
 #   - secretName: another-ref-to-secret
 #     # expose only a subset of the secret keys (optional)
-#     items:
+#     entries:
 #     - key: value1
 #       path: newkey # project a key to a specific path (optional)

docs/elasticsearch-spec.asciidoc

@@ -197,7 +197,7 @@ spec:
   setVmMaxMapCount: false
 ----
 
-For more information, see the Elasticsearch documentation on 
+For more information, see the Elasticsearch documentation on
 link:https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html[Virtual memory].
 
 Optionally, you can select a different type of file system implementation for the storage. For possible options, see the
@@ -251,17 +251,17 @@ spec:
   - secretName: two-secure-settings-secret
 ----
 
-You can export a subset of secret keys and also project keys to specific paths using the `items`, `key` and `path` fields:
+You can export a subset of secret keys and also project keys to specific paths using the `entries`, `key` and `path` fields:
 
 [source,yaml]
 ----
 spec:
   secureSettings:
   - secretName: your-secure-settings-secret
-    items:
-    - key: value1
-      path: newkey
-    type: array
+    entries:
+    - key: key1
+    - key: key2
+      path: newkey2
 ----
 
 See link:k8s-snapshot.html[How to create automated snapshots] for an example use case.
@@ -298,7 +298,7 @@ spec:
             bin/elasticsearch-plugin install --batch repository-azure
 ----
 
-To install custom configuration files you can use volumes and volume mounts. 
+To install custom configuration files you can use volumes and volume mounts.
 
 The next example shows how to add a synonyms file for the
 link:https://www.elastic.co/guide/en/elasticsearch/reference/current/analysis-synonym-tokenfilter.html[synonym token filter] in Elasticsearch.

pkg/apis/apm/v1alpha1/apmserver_types.go

@@ -50,10 +50,10 @@ type ApmServerSpec struct {
 	// into the APM keystore on each node.
 	// Each individual key/value entry in the referenced secrets is considered as an
 	// individual secure setting to be injected.
-	// You can use the `items` and `key` fields to consider only a subset of the secret
+	// You can use the `entries` and `key` fields to consider only a subset of the secret
 	// entries and the `path` field to change the target path of a secret entry key.
 	// The secret must exist in the same namespace as the APM resource.
-	SecureSettings []corev1.SecretVolumeSource `json:"secureSettings,omitempty"`
+	SecureSettings []commonv1alpha1.SecretSource `json:"secureSettings,omitempty"`
 }
 
 // Elasticsearch contains configuration for the Elasticsearch output
@@ -153,7 +153,7 @@ func (as *ApmServer) ElasticsearchRef() commonv1alpha1.ObjectSelector {
 	return as.Spec.ElasticsearchRef
 }
 
-func (as *ApmServer) SecureSettings() []corev1.SecretVolumeSource {
+func (as *ApmServer) SecureSettings() []commonv1alpha1.SecretSource {
 	return as.Spec.SecureSettings
 }
 

pkg/apis/common/v1alpha1/common.go

@@ -118,3 +118,29 @@ type PodDisruptionBudgetTemplate struct {
 	// +optional
 	Spec v1beta1.PodDisruptionBudgetSpec `json:"spec,omitempty"`
 }
+
+type SecretSource struct {
+	// Name of the secret in the pod's namespace to use.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+	SecretName string `json:"secretName"`
+	// If unspecified, each key-value pair in the Data field of the referenced
+	// Secret will be projected into the volume as a file whose name is the
+	// key and content is the value. If specified, the listed keys will be
+	// projected into the specified paths, and unlisted keys will not be
+	// present.
+	// +optional
+	Entries []KeyToPath `json:"entries,omitempty"`
+}
+
+// Maps a string key to a path within a volume.
+type KeyToPath struct {
+	// The key to project.
+	Key string `json:"key"`
+
+	// The relative path of the file to map the key to.
+	// May not be an absolute path.
+	// May not contain the path element '..'.
+	// May not start with the string '..'.
+	// +optional
+	Path string `json:"path,omitempty"`
+}

pkg/apis/elasticsearch/v1alpha1/elasticsearch_types.go

@@ -49,10 +49,10 @@ type ElasticsearchSpec struct {
 	// into Elasticsearch keystore on each node.
 	// Each individual key/value entry in the referenced secrets is considered as an
 	// individual secure setting to be injected.
-	// You can use the `items` and `key` fields to consider only a subset of the secret
+	// You can use the `entries` and `key` fields to consider only a subset of the secret
 	// entries and the `path` field to change the target path of a secret entry key.
 	// The secret must exist in the same namespace as the Elasticsearch resource.
-	SecureSettings []corev1.SecretVolumeSource `json:"secureSettings,omitempty"`
+	SecureSettings []commonv1alpha1.SecretSource `json:"secureSettings,omitempty"`
 }
 
 // NodeCount returns the total number of nodes of the Elasticsearch cluster
@@ -259,7 +259,7 @@ func (e Elasticsearch) IsMarkedForDeletion() bool {
 	return !e.DeletionTimestamp.IsZero()
 }
 
-func (e Elasticsearch) SecureSettings() []corev1.SecretVolumeSource {
+func (e Elasticsearch) SecureSettings() []commonv1alpha1.SecretSource {
 	return e.Spec.SecureSettings
 }
 

pkg/apis/kibana/v1alpha1/kibana_types.go

@@ -51,10 +51,10 @@ type KibanaSpec struct {
 	// into Kibana keystore on each node.
 	// Each individual key/value entry in the referenced secrets is considered as an
 	// individual secure setting to be injected.
-	// You can use the `items` and `key` fields to consider only a subset of the secret
+	// You can use the `entries` and `key` fields to consider only a subset of the secret
 	// entries and the `path` field to change the target path of a secret entry key.
 	// The secret must exist in the same namespace as the Kibana resource.
-	SecureSettings []corev1.SecretVolumeSource `json:"secureSettings,omitempty"`
+	SecureSettings []commonv1alpha1.SecretSource `json:"secureSettings,omitempty"`
 }
 
 // BackendElasticsearch contains configuration for an Elasticsearch backend for Kibana
@@ -109,7 +109,7 @@ func (k *Kibana) ElasticsearchRef() commonv1alpha1.ObjectSelector {
 	return k.Spec.ElasticsearchRef
 }
 
-func (k *Kibana) SecureSettings() []corev1.SecretVolumeSource {
+func (k *Kibana) SecureSettings() []commonv1alpha1.SecretSource {
 	return k.Spec.SecureSettings
 }
 

pkg/controller/common/keystore/resources.go

@@ -7,6 +7,7 @@ package keystore
 import (
 	"strings"
 
+	commonv1alpha1 "github.com/elastic/cloud-on-k8s/pkg/apis/common/v1alpha1"
 	"github.com/elastic/cloud-on-k8s/pkg/controller/common/driver"
 	"github.com/elastic/cloud-on-k8s/pkg/controller/common/name"
 	corev1 "k8s.io/api/core/v1"
@@ -32,7 +33,7 @@ type Resources struct {
 type HasKeystore interface {
 	metav1.Object
 	runtime.Object
-	SecureSettings() []corev1.SecretVolumeSource
+	SecureSettings() []commonv1alpha1.SecretSource
 	// Kind can technically be retrieved from metav1.Object, but there is a bug preventing us to retrieve it
 	// see https://github.com/kubernetes-sigs/controller-runtime/issues/406
 	Kind() string