New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: Allow easy secret manipulation from string data #19575
Comments
The stringData proposal is different from how anything works today. What's the problem with the subresource? That seems analogous to server-side template substitution. |
Primarily we have no way to express a subresource in the cli or in
config files. I think this is something we want in config files. We
could simply support a virtual resource that fronts the secret (a new
top level resource like StringSecret) which is saved as secret, but I
don't know that is a pattern I'd want to start now.
|
Ok, now we have precedent for the approach in this proposal: rollbackTo #19686. It would sidestep the madness we encountered with PodSecurityContext by storing only one copy. However, it wouldn't work with kubectl apply, and would likely wreak havok with Template as well -- anything that checks structural equality, so it doesn't solve the "config file" use case. So, I think we're back to a bidirectional sync of the 2 maps. On update (PUT, PATCH), we'd need to diff with the state in etcd to figure out which map entries were modified and then change the other to match if the entries differed. If both were changed but didn't match, we could throw a validation error, I think. |
So another option I thought of last night... we only accept Base64 input to
That is a) unambiguous and b) backwards compatible for new servers and c) On Fri, Jan 29, 2016 at 12:12 PM, Brian Grant notifications@github.com
|
That was supposed to be:
|
Another option is:
|
I wouldn't want to change the map key. An alternate representation in the map value (e.g. |
This was implemented |
Secrets today have schema
Data map[string][]byte json:"data,omit empty"
. The end result is a base64 string in JSON, which is hard to work with as a normal client on the cli. It should be possible to pass string values for the data that are transformed into[]byte
. Since v2 is far away, this should be backwards compatible.Proposal
Add a new
StringData map[string]string
with json identifierstringData
that is read during create and update and merged intodata
. This is backwards compatible (new clients can send both fields and stringData takes precedence). Clients always readdata
.stringData
is not stored in etcd.Alternatives:
SecretMap
that is backed bySecret
and hasdata map[string]string
, but operations onSecretMap
. Not easily used (requires new client work), also has potential for confusion, and in the long run we need both binary and text data for secrets anyway.a. Variant 1 - add a new SecretMap that has both fields, or a deeper struct, and convince everyone to change away from secret. SecretMap would be backed in etcd by Secret resources. Problem: unable to have fields that are binary and fields that are string.
The text was updated successfully, but these errors were encountered: