Referencing secrets and configmaps as mounted files (CLI)

In Code Engine, after you create secrets and configmaps, the information that is stored as key-value pairs can be consumed by your app or job workload as a mounted file. You cannot use this method with functions.

Working with secrets and configmaps as mounted files is similar to working with secrets and configmaps as environment variables.

When you work with secrets, data is saved as an encoded string. The data is not encoded when it is added to the environment as an environment variable or as a mounted file.

Referencing a secret as a mounted file with the CLI

In this scenario, create a secret and then reference the secret as a mounted file when you run an application, which uses the icr.io/codeengine/ce-secret-vol image.

The sample image, icr.io/codeengine/ce-secret-vol, reads each file in the /mysecrets directory and prints the name of the file and its contents to standard output for each request so that the output is contained in the app logs. For more information about this sample application, see the secrets as volumes (secrets-vol) sample in the IBM Cloud Code Engine GitHub repo.

While this scenario uses a secret, you can use the same steps to reference a configmap as a mounted file by substituting configmap for secret in the commands.

Create a secret, named mysecret, and specify the key-value pairs for the secret by using the --from-literal option; for example,
```
ibmcloud ce secret create -n mysecret --from-literal apikey=abcdefgh 
```
Create the myapp application that uses the icr.io/codeengine/ce-secret-vol image. Use the --mount-secret option to mount or add the contents of the mysecret secret to the app in the /mysecrets directory. By specifying the --min-scale=1 option, the app always has an instance that is running and does not scale to zero. Configuring the app to always have a running instance is useful when you view logs. For example,
```
ibmcloud ce app create --name myapp --image icr.io/codeengine/ce-secret-vol --mount-secret /mysecrets=mysecret --min-scale 1
```
Example output
```
Creating application 'myapp'...
[...]
Run 'C:\Program Files\IBM\Cloud\bin\ibmcloud.exe ce application get -n myapp' to check the application status.
OK

https://myapp.4svg40kna19.us-south.codeengine.appdomain.cloud
```
Copy the URL from the previous output and call the application with curl; for example,
```
curl https://myapp.4svg40kna19.us-south.codeengine.appdomain.cloud
```
View the logs from your application. In this example, the myapp app uses the sample image, icr.io/codeengine/ce-secret-vol. This app reads each file in the /mysecrets directory and prints the name of the file and its contents to standard output for each request so that the output is contained in the app logs. The name of the file is apikey.
```
ibmcloud ce app logs --app myapp
```
Example output
```
Getting logs for all instances of application 'myapp'...
OK

myapp-b3gxd-1-deployment-6f45dcf7f4-nw59z/user-container:
Listening on port 8080
apikey: abcdefgh
```
Update the mysecret secret to change the value for the apikey key-value pairs; for example,
```
ibmcloud ce secret update -n mysecret --from-literal apikey=qrst 
```

Call the application again.

curl https://myapp.4svg40kna19.us-south.codeengine.appdomain.cloud

View the logs from your application.

ibmcloud ce app logs --app myapp

Example output

Getting logs for all instances of application 'myapp'...
OK

myapp-b3gxd-1-deployment-6f45dcf7f4-nw59z/user-container:
Listening on port 8080
apikey: abcdefgh
apikey: qrst

You added data that is stored in secrets (or configmaps) to your app as a mounted file, and then updated the data stored in the secret. The app did not require a restart to use the updated referenced secret.