Skip to content
This repository was archived by the owner on May 1, 2021. It is now read-only.

Comments

feat: add provider-specific instructions to remoteRef#4

Open
moolen wants to merge 2 commits intomainfrom
feat/gs
Open

feat: add provider-specific instructions to remoteRef#4
moolen wants to merge 2 commits intomainfrom
feat/gs

Conversation

@moolen
Copy link
Member

@moolen moolen commented Feb 10, 2021

As discussed in external-secrets/external-secrets#22 (comment)

Problem:
(1) A user can't fetch the tags of a secret.
(2) I found another use-case that requires provider-specific options (KES base64/isBinary)

I see two options:

(A) Template Galore 🏇

Tl;DR: use template functions to access metadata or transform base64/pkcs12/pem...

(I think this is a low-hangig fruit once we have basic templating anyway)

spec:
  secretStoreRef:
    name: my-az-store
  data:
  - secretKey: user
     remoteRef:
       key: my-key
  - secretKey: cert
     remoteRef:
       key: my-cert
  target:
    template:
      data:
        # .data.user is the actual secret .Value from azkv 
        # .metadata.user is metadata from azure (e.g. version, Tags, content-type)
        example.yml: |
          endpoints:
          - url: https://{{ .data.user }}:{{ .data.password }}@api.exmaple.com
             headers:
               UserAgent: {{.metadata.user.tags.USER_AGENT }}
        # different option to transform the secret value pkcs12 -> []PEM -> cert
        # this is just an idea
        mycert: '{{ .data.cert. | extractPKCS12 | filterPEMCert }}'

(B) provider-specific options in the remoteRef
See proposed changes.

@moolen moolen mentioned this pull request Feb 10, 2021
Merged
mcavoyk
mcavoyk reviewed Feb 15, 2021
View reviewed changes
@moolen
fix: integrate suggestions
2c79a5f 
Co-authored-by: mcavoyk
@asnowfix asnowfix mentioned this pull request Mar 5, 2021
Open
@asnowfix
Copy link
Contributor

asnowfix commented Mar 5, 2021

The API as-is has provisions to handle multiples values under a single key: in the case of AWSSM, those are the JSON-encoded properties. In the case of Azure, those could be the Tags coming along with the main secret value. Here is #6 a proposal for using the Azure native bundling using existing CRD API parameters: Here we consider tags as secondary level secrets (much like the awssm's usage of properties)

There is another type of de-bundling in this PR: in order to try to minimize the number of calls to the Azure API (billing for that service is per call): when the secret is a cert-bundle (which is an information we get from the Content-Type), we should not call the API once to get the cert & once to get the key, as both are already in the answer to the first query.

@moolen moolen mentioned this pull request Dec 7, 2021
Closed
@moolen moolen mentioned this pull request May 2, 2022
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

2 more reviewers

@knelasevero knelasevero knelasevero left review comments

@mcavoyk mcavoyk mcavoyk left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@moolen @asnowfix @knelasevero @mcavoyk