Skip to content
This repository has been archived by the owner on May 1, 2021. It is now read-only.

feat: add provider-specific instructions to remoteRef #4

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: add provider-specific instructions to remoteRef #4

wants to merge 2 commits into from

Conversation

moolen
Copy link
Member

@moolen moolen commented Feb 10, 2021

As discussed in external-secrets/external-secrets#22 (comment)

Problem:
(1) A user can't fetch the tags of a secret.
(2) I found another use-case that requires provider-specific options (KES base64/isBinary)

I see two options:

(A) Template Galore 🏇

Tl;DR: use template functions to access metadata or transform base64/pkcs12/pem...

(I think this is a low-hangig fruit once we have basic templating anyway)

spec:
  secretStoreRef:
    name: my-az-store
  data:
  - secretKey: user
     remoteRef:
       key: my-key
  - secretKey: cert
     remoteRef:
       key: my-cert
  target:
    template:
      data:
        # .data.user is the actual secret .Value from azkv 
        # .metadata.user is metadata from azure (e.g. version, Tags, content-type)
        example.yml: |
          endpoints:
          - url: https://{{ .data.user }}:{{ .data.password }}@api.exmaple.com
             headers:
               UserAgent: {{.metadata.user.tags.USER_AGENT }}
        # different option to transform the secret value pkcs12 -> []PEM -> cert
        # this is just an idea
        mycert: '{{ .data.cert. | extractPKCS12 | filterPEMCert }}'

(B) provider-specific options in the remoteRef
See proposed changes.

@moolen moolen mentioned this pull request Feb 10, 2021
Merged
mcavoyk
mcavoyk reviewed Feb 15, 2021
View reviewed changes
Spec.md Outdated Show resolved Hide resolved
@moolen
fix: integrate suggestions
2c79a5f 
Co-authored-by: mcavoyk
@asnowfix asnowfix mentioned this pull request Mar 5, 2021
Open
@asnowfix
Copy link
Contributor

asnowfix commented Mar 5, 2021

The API as-is has provisions to handle multiples values under a single key: in the case of AWSSM, those are the JSON-encoded properties. In the case of Azure, those could be the Tags coming along with the main secret value. Here is #6 a proposal for using the Azure native bundling using existing CRD API parameters: Here we consider tags as secondary level secrets (much like the awssm's usage of properties)

There is another type of de-bundling in this PR: in order to try to minimize the number of calls to the Azure API (billing for that service is per call): when the secret is a cert-bundle (which is an information we get from the Content-Type), we should not call the API once to get the cert & once to get the key, as both are already in the answer to the first query.

@moolen moolen mentioned this pull request Dec 7, 2021
Closed
@moolen moolen mentioned this pull request May 2, 2022
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mcavoyk mcavoyk mcavoyk left review comments

@knelasevero knelasevero knelasevero left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@moolen @asnowfix @knelasevero @mcavoyk