Comments (9)
Hey, thanks for thinking this through @Flydiverny. I think I'd prefer the simpler approach to begin with and something that mirrors an existing pattern in kubernetes. Your first example, with some tweaks (envFrom
is an array and specify a data
array):
apiVersion: kubernetes-client.io/v1
kind: ExternalSecret
metadata:
name: postgres-credentials
secretDescriptor:
backendType: secretsManager
dataFrom:
- /development/postgres/credentials
- /development/api/credentials
data:
- key: /development/auth/secret
name: authSecret
Similar to how envFrom
handles invalid environment variable names, creating the Secret
would succeed even if the operations needed to implement a dataFrom
failed. E.g., if the value in AWS SM wasn't an object and failed a JSON.parse
, the controller would still create the Secret
.
Values in data
would override anything specified in dataFrom
.
Thoughts?
from kubernetes-external-secrets.
#196 was merged adding support as seen above in #94 (comment) !
from kubernetes-external-secrets.
We've been waffling on adding options for more "advanced" processing like this. Mostly because we don't understand the impact/utility of adding them (and we're worried about the longer term maintenance cost), and how general to make the advanced options so that they might scale to backends we add in the future.
Can you help us understand the impact for you? How many key, property objects do you have in an ExternalSecret? How many ExternalSecrets are you juggling?
from kubernetes-external-secrets.
we have about 50 ExternalSecrets with ~15 key value pairs within each. We primarily use the envFrom feature in deployments to be able to source directly without having to specify each one by one.
from kubernetes-external-secrets.
OK, thank you. It seems like this is worth considering supporting. We should think through how. e.g., single entry in the secretDescriptor.data
array? some property on secretDescriptor
that's mutually exclusive with secretDescriptor.data
, or do we support some well-defined merge behavior? ... We'd welcome some concrete suggestions / brainstorming :)
from kubernetes-external-secrets.
I think introducing another field would be great, similar to envFrom (especially for maintaining backwards). for "well defined merge behavior", anything that's manually specified in the data area should override anything that's in the envFrom area.
Thank you for responding so quickly!
from kubernetes-external-secrets.
I think having a basic edition dataFrom
would cover most common use cases? To make it slightly more advanced you could allow merge / overrides from data entries.
apiVersion: kubernetes-client.io/v1
kind: ExternalSecret
metadata:
name: postgres-credentials
secretDescriptor:
backendType: secretsManager
dataFrom: /development/postgres/credentials
secrets manager secret
{
"Name": "/development/postgres/credentials",
"SecretString": "{\"username\":\"my-pg-user\", \"password\":\"my-super-secret-password\"}",
}
Resulting secret
apiVersion: v1
kind: Secret
metadata:
name: postgres-credentials
type: Opaque
data:
username: bXktcGctdXNlcg== # my-pg-user
password: bXktc3VwZXItc2VjcmV0LXBhc3N3b3Jk # my-super-secret-password
If one wants to go crazy on flexibility I guess you could do something like below, merging from top to bottom, ie last in list last to override.
apiVersion: kubernetes-client.io/v1
kind: ExternalSecret
metadata:
name: all-them-secrets
secretDescriptor:
backendType: secretsManager
data:
- dataFrom: /development/postgres/credentials
- key: /development/auth/secret
name: authSecret
- key: /development/postgres/my-app/username
name: username
- dataFrom: /development/mysql/credentials
secrets manager secret
{
"Name": "/development/postgres/credentials",
"SecretString": "{\"username\":\"my-pg-user\", \"password\":\"my-super-secret-password\"}",
}
{
"Name": "/development/auth/secret",
"SecretString": "my-auth-secret",
}
{
"Name": "/development/postgres/my-app/username",
"SecretString": "my-app-username",
}
{
"Name": "/development/mysql/credentials",
"SecretString": "{\"mysqlUsername\":\"my-mysql-user\", \"mysqlPassword\":\"my-super-secret-mysql-pw\"}",
}
Resulting secret
apiVersion: v1
kind: Secret
metadata:
name: all-them-secrets
type: Opaque
data:
username: bXktYXBwLXVzZXJuYW1l # my-app-username
password: bXktc3VwZXItc2VjcmV0LXBhc3N3b3Jk # my-super-secret-password
authSecret: bXktYXV0aC1zZWNyZXQ= # my-auth-secret
mysqlUsername: bXktbXlzcWwtdXNlcg== # my-mysql-user
mysqlPassword: bXktc3VwZXItc2VjcmV0LW15c3FsLXB3 # my-super-secret-mysql-pw
While this might be useful in some cases or simple-ish, it wouldn't work well if for example the mysql credentials secret also has keys named username
instead of mysqlUsername
, which seems more likely since its specifically a mysql secret. Should we then allow for renaming keys or prefixing them.
Prefix example
...
- dataFrom: /development/postgres/credentials
prefixNames: postgres
Map example
...
- dataFrom: /development/postgres/credentials
mapNames:
- property: username
name: postgresUsername
- property: password
name: postgresPassword
To yield secret like:
...
data:
postgresUsername: bXktcGctdXNlcg== # my-pg-user
postgresPassword: bXktc3VwZXItc2VjcmV0LXBhc3N3b3Jk # my-super-secret-password
...
from kubernetes-external-secrets.
I suppose the map example could potentially replace current functionallity where you would do:
- data: /development/postgres/credentials
property: username
name: postgresUsername
- data: /development/postgres/credentials
property: password
name: postgresPassword
Maybe one could expand on current functionality to provide the following toolset:
Extract single JSON property from backend
- data: /development/postgres/credentials
property: password
name: postgresPassword
Extract all JSON properties from backend
- data: /development/postgres/credentials
properties: all
Extract specific JSON properties from backend
- data: /development/postgres/credentials
properties:
- property: username
name: postgresUsername
- property: password
name: postgresPassword
Extract plain text from backend
- data: /development/postgres/credentials
name: postgresCredentials
It still leaves the scenario where you might want all the keys from two different backend values which might have the same property names. (prefix example in comment above)
from kubernetes-external-secrets.
@Flydiverny thank you!
from kubernetes-external-secrets.
Related Issues (20)
- alpine base image version HOT 2
- How self-signed cert on Azure KV can decode ? HOT 3
- .
- TLS ERROR with Vault using self-signed certificate HOT 1
- IBM-Cloud-Secret-Manager Arbitrary secret creating with wrong indentation HOT 5
- vault authentication with AppRole HOT 1
- Fetch all Azure KeyVault secrets HOT 4
- isBinary does not do anything when used with dataFromWithOptions HOT 2
- Status update failed for externalsecret due to modification, new poller should start HOT 6
- High severity vulnerabilities on 8.5.0 HOT 6
- Upsert secret from AWS parameter store as is without base64 encoding HOT 1
- High severity vulnerability on 8.5.1 HOT 3
- dataFromWithOptions support for GCP HOT 2
- Feature: add envVarsFromFieldRef to chart HOT 1
- ERROR, Invalid character in header content ["Authorization"] in new installation of kubernetes-external-secrets
- If a secret is deleted with a failed last sync, metric still exists HOT 1
- How to configure multiple AWS accounts HOT 2
- Pod is using stale tokens HOT 1
- unable to pull image "godaddy/kubernetes-external-secrets:6.0.0" HOT 2
- Does Kubernetes-external-secrets supports kubernetes v1.22? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubernetes-external-secrets.