-
Notifications
You must be signed in to change notification settings - Fork 658
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add ability to template arbitrary data keys within resulting secrets #445
Comments
+1 We have a similar usecase with ArgoCD, the cluster secret should look like this:
In the secret above, A simple solution that SS could be implement is to support
|
@musabmasood I think the templating support I implemented would meet your use case, can you help confirm? I updated the config file templating example as part of my PR: https://github.com/bitnami-labs/sealed-secrets/pull/446/files#diff-a311653b9191ca8296fee028d97e41feR16 I think you could just add additional "template" data keys that didn't have any variable substitution. e.g. alongside |
Yeah. It seems a very practical thing to have. I'll take a look soon |
For I long time I wanted to convince myself that k8s Secrets are meant to store actual secrets and as soon as you stuff complex "configs" in them you're "doing something wrong". One key rationale for that point of view, is that the more developers need to look at secrets (inspect, dump, log, ...) the higher the chances are that secrets will be leaked. The "bigger" a secret is the more likely it is you eventually need to take a peek, or treat it as a "pet". The "correct" approach was to force people to design apps where config are loaded as config maps and secrets get injected as env variables or files and have the application know how to read secrets separately from the config. However, turns out that in practice you cannot force everybody to write applications in that way. A templating approach like the one you propose is a pragmatic middle ground. Since you can look at the template in clear, you don't often need to see the template being expanded. It's not perfect, because when things don't work, you may be tempted to look at the expanded template just to be sure the template output is not borked. That said, this can be mitigated, perhaps by rendering the template with some dummy secret values and put it in the .status field of the SealedSecret object. |
This is a nice thing to have, as the jenkins secret example showing in the readme, the |
Merged in #580! |
sometimes when deploying services on k8s you end up needing to create a secret which contains a entire config file. in such cases you often only have a small amount of data that is actually secret, the rest of the config file could be safely kept in plaintext. in such cases
sealed-secrets
could offer a large usability win by allowing arbitrary keys within the resulting secrets to be created from a plaintext template which uses the decrypted data keys as inputs.while there is a docs example showing how this can be achieved with an init container, having this capability within
sealed-secrets
is more flexible and reduces integration complexity in certain situationssealed-secrets
already has the concept of secret "templating", perhaps aData
field could be added to theSecretTemplateSpec
to enable this.Example (extended from the README):
would result in a secret like:
where the decoded
.dockercfg
looks like:The text was updated successfully, but these errors were encountered: