Open jmspring opened 4 years ago
I totally agree. My configuration is becoming pretty messy. And this is just the first deployment where I try to use kv-flexvol:
keyvaultobjectnames: "ServiceBus--AsbConnectionString;ServiceBus--DataBusConnectionString;PushNotificationHubs--MijnFloriusApp--keyname;PushNotificationHubs--MijnFloriusApp--keyvalue;PushNotificationHubs--FanApp--keyname;PushNotificationHubs--FanApp--keyvalue;Smtp--Credentials--Username;Smtp--Credentials--Password"
keyvaultobjectaliases: "ServiceBus__AsbConnectionString;ServiceBus__DataBusConnectionString;PushNotificationHubs__MijnFloriusApp__keyname;PushNotificationHubs__MijnFloriusApp__keyvalue;PushNotificationHubs__FanApp__keyname;PushNotificationHubs__FanApp__keyvalue;Smtp__Credentials__Username;Smtp__Credentials__Password"
keyvaultobjecttypes: "secret;secret;secret;secret;secret;secret;secret;secret"
(I need objectaliases because of requirements of the .NET configuration system)
A default for type would be nice too: secret. If you have different type of secrets, you could simply add another volume.
A format similar to this would be nice and allows easier migration in the future: https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/master/test/bats/tests/azure_v1alpha1_secretproviderclass.yaml
parameters:
usePodIdentity: "false" # [OPTIONAL] if not provided, will default to "false"
keyvaultName: "$KEYVAULT_NAME" # the name of the KeyVault
objects: |
array:
- |
objectName: $SECRET_NAME
objectType: secret # object types: secret, key or cert
objectVersion: $SECRET_VERSION # [OPTIONAL] object versions, default to latest if empty
- |
objectName: $KEY_NAME
objectType: key
objectVersion: $KEY_VERSION
Thanks for the feedback @jmspring!
@kwaazaar https://github.com/kubernetes-sigs/secrets-store-csi-driver is the next generation of this flexvol solution/repo. Please start using the secrets store csi driver as this solution will slowly be deprecated.
@kwaazaar https://github.com/kubernetes-sigs/secrets-store-csi-driver is the next generation of this flexvol solution/repo. Please start using the secrets store csi driver as this solution will slowly be deprecated.
You should mention this in the readme! I accidentally found the CSI driver solution, but it deserves a prominent place on the front page.
Currently, if one wishes to expose one or more keyvault objects via Flexvolume, you must manually concat the information for each object across multiple string values:
With values for each object separated by a delimiter.
keyvaultobjectaliases
andkeyvaultobjectversions
are optional, but if you need such for any one of the object, you would need to add such for every object. This makes the management of even a small (less than 10) number of objects unwieldy.It would make more sense to represent these values as a list of dictionaries as follows:
While it is more "verbose" it is more practical and flexible.