Comments (2)
tomhjp
commented on June 12, 2024
2
Hello 👋 these are good questions. I think there are a few pre-existing things to mention here.
- If you omit the
secretKey, the whole JSON response will be written to the file/k8s secret (docs). So if you write many secrets to a single KV path (e.g.vault kv put secret/foo user=admin pass=hunter2 url=...), you can fetch all of those secret values in one SPC object. - There is a PR on the driver (with some renewed interest in the most recent community call) to support transforming JSON file contents using JSON path: kubernetes-sigs/secrets-store-csi-driver#963
- There is a feature request on the driver to support syncing all files from a mount request into the k8s secret: kubernetes-sigs/secrets-store-csi-driver#529 - AFAIK this one is much less specced out than the transforms feature, so it's hard to say what the final functionality would look like, but I hope something like the below would be possible:
---
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
[...]
secretObjects:
- secretName: db-creds
type: Opaque
syncAll: true
parameters:
[...]
objects: |
- objectName: obj
secretPath: "database/creds/db-app"
transforms:
- inFilePath: "obj"
jsonPath: "$.username"
outFilePath: "username"
- inFilePath: "obj"
jsonPath: "$.password"
outFilePath: "password"I think that gets relatively close to what you want, except you can still end up with quite an arduous number of transform entries.
The vault-csi-provider owns all of the config inside parameters, and the driver owns the rest, so while the features for syncAll for k8s secrets and transforms would be best/only possible to do in the driver, there is a potential feature request here to automatically create one object per key inside the secret's data field. Perhaps we could default to doing that if both objectName and secretKey are omitted.
Do you think that would fit your use-case?
from vault-csi-provider.
adlnc
commented on June 12, 2024
Thank you for your reply,
Simply put, the answer is yes ! I think you totally got what I'm looking for.
So you first remove my doubts that, at the moment, this doesn't seem to be supported.
Now, do you think such feature could be implemented and would be relevant ?
Yes, I tried playing with the full json response while omitting the secretKey but handling a single object here doesn't seem to fit my need.
In the end, if I get this right in order for this to work, this would require the default behavior you mention when objectName and secretKey are omitted (vault-csi provider) + that PR for transforms and SyncAll option to be merged (secret-store-driver).
from vault-csi-provider.
Related Issues (20)
- volume mode "Ephemeral" not supported by driver secrets-store.csi.k8s.io (no CSIDriver object) HOT 7
- Docker image not uploaded to ECR public HOT 2
- Running Cloud Control Manager in vcluster HOT 1
- Failed to mount vault secrets store objects through Container Storage Interface (CSI) Volume HOT 2
- Vault provider not found , inter cluster connection . HOT 1
- Vulnerabilites in v1.2.0 of vault-csi-provider image HOT 1
- Permission denied when trying to access secret from vault on another kubernetes cluster . HOT 2
- Use the sync to secret feature without a pod mount? HOT 1
- vault-csi-provider Pod throws cannot unmarshal !!map into []config.Secret HOT 2
- Feature request: Ability to consume entire secret data rather than just a single key
- Extra fields
- Can the dynamic secrets auto renew as long as the pod is alive HOT 8
- Updating the values in the KV Secrets Engine HOT 1
- mounting from Vault fails with "invalid role name" HOT 2
- Support for AppRole auth method
- User vault-csi-provider cannot create resource serviceaccounts token
- "aud" claim should be list, not string HOT 4
- Lease cache not working for PKI engine HOT 5
- Need to release new version as crypto CVE is fixed HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-csi-provider.