Multi Key Value Secret support

Azure / AppConfiguration-KubernetesProvider

Bring your data in Azure App Configuration down to your Kubernetes cluster, available as ConfigMap and Secrets and ready to be consumed by any workload.

MIT License

5 stars 3 forks source link

Multi Key Value Secret support #82

Open spintower opened 1 week ago

spintower commented 1 week ago

Does AppConfiguration-KubernetesProvider support multi-key-value secrets similar to https://akv2k8s.io/tutorials/sync/4-multi-key-value-secret/ and https://external-secrets.io/latest/guides/all-keys-one-secret/?

RichardChen820 commented 1 week ago

@spintower Short answer is yes.

Secrets resolved from keyVault references are saved into the Secret you specify in the AzureAppConfigurationProvider yaml:

apiVersion: azconfig.io/v1
kind: AzureAppConfigurationProvider
metadata:
  name: appconfigurationprovider-sample
spec:
  endpoint: <your-app-configuration-store-endpoint>
  target:
    configMapName: my-configmap
  configuration:
    selectors:
      - keyFilter: '*'
  secret:
    target:
      secretName: my-secret
    auth:
      managedIdentityClientId: <your-user-assigned-managed-identity-client-id>

Use above yaml as an example, all the selected keyVault reference items will be saved into my-secret, use the AppConfig item‘s key as the key, and the value of the referenced KeyVault secret as the value. And the target my-secret would be in opaque type.

RichardChen820 commented 1 week ago

@linglingye001 The doc for this part is not very clear. Can we add some examples to clearly illustrate what kind of Secret will be generated with different configurations?

linglingye001 commented 1 week ago

@linglingye001 The documentation for this part is not very clear. Can we add some examples to clearly illustrate what kind of Secret will be generated with different configurations?

I will update the doc.

spintower commented 1 week ago

Thanks @RichardChen820 , I'm looking for a way to extract structured data from a secret (turn one AKV key/value into multiple key/value pairs in k8s secret). For example, https://akv2k8s.io/tutorials/sync/4-multi-key-value-secret/ can take a secret value that contains JSON

{
  "key1": "value1",
  "key2": "value2",
  "key3": "value3"
}

and create a secret with parsed key/value pairs:

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: db-config
data:
  key1: dmFsdWUx
  key2: dmFsdWUy
  key3: dmFsdWUz

akv2k8s needs the line contentType: application/x-json to indicate that it needs to parse the JSON.

It's my understanding that AppConfiguration-KubernetesProvider in this case will simply insert the JSON-encoded string into the secret without parsing the JSON, is that right?

RichardChen820 commented 1 week ago

Sounds it's a special protocol defined in akv2k8s targeting to resolve certain format of secret value.

RichardChen820 commented 1 week ago

Does the secret in key vault needs application/x-json content type as well?