main: Add docker/k8s secrets friendly path

[kallisti5]

No description provided.

[kallisti5]

This pod really isn't usable with k8s secrets or docker secrets. You can't mount secrets over / (working directory, aka .) or /etc as these paths contain other things mounted read-only from the container (/etc/hosts for example).

This change introduces an alternative path (/run/secrets) to search for secrets in. This is compatible with docker secrets out of the box, and will work with k8s secrets as nothing else is commonly mounted here.

Error: failed to create containerd task: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:76: mounting "/var/lib/kubelet/pods/4cd3c998-ad72-4c26-b527-6e5dc0b5d29e/etc-hosts" to rootfs at "/etc/hosts" caused: mkdir /run/containerd/io.containerd.runtime.v2.task/k8s.io/irccat/rootfs/etc: read-only file system: unknown

This change will let things like this work...

apiVersion: v1
kind: Secret
metadata:
  name: irccat-config
stringData:
  config: |2
    {
      "tcp": {
        "listen": ":12345"
      },
      "http": {
.
.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: irccat
  labels:
    app: irccat
spec:
  replicas: 1
  selector:
    matchLabels:
      app: irccat
  template:
    metadata:
      labels:
        app: irccat
    spec:
      containers:
      - name: irccat
        image: ghcr.io/irccloud/irccat:0.4.7
        resources:
          limits:
            cpu: "0.25"
            memory: "256Mi"
          requests:
            cpu: "0.15"
            memory: "128Mi"
        volumeMounts:
        - name: config
          mountPath: /run/secrets
      volumes:
      - name: config
        secret:
          secretName: irccat-config
          items:
          - key: config
            path: irccat.json

[kallisti5]

it would be nice (tm) to get a new release with this change :-D

[russss]

Sounds sensible! I'll do a new release once I remember how...