Syntax for keyvaultobjects should use yaml dictionaries instead of strings

[jmspring]

Currently, if one wishes to expose one or more keyvault objects via Flexvolume, you must manually concat the information for each object across multiple string values:

    keyvaultobjectnames
    keyvaultobjectaliases
    keyvaultobjecttypes
    keyvaultobjectversions

With values for each object separated by a delimiter. keyvaultobjectaliases and keyvaultobjectversions are optional, but if you need such for any one of the object, you would need to add such for every object. This makes the management of even a small (less than 10) number of objects unwieldy.

It would make more sense to represent these values as a list of dictionaries as follows:

keyvaultobjects:
  - name: foo
    type: secret
  - name: bar
    type: secret
    version: 1
  - name: cat
    type: secret
    version: 12
    alias: settings.json

While it is more "verbose" it is more practical and flexible.

[kwaazaar]

I totally agree. My configuration is becoming pretty messy. And this is just the first deployment where I try to use kv-flexvol:

keyvaultobjectnames: "ServiceBus--AsbConnectionString;ServiceBus--DataBusConnectionString;PushNotificationHubs--MijnFloriusApp--keyname;PushNotificationHubs--MijnFloriusApp--keyvalue;PushNotificationHubs--FanApp--keyname;PushNotificationHubs--FanApp--keyvalue;Smtp--Credentials--Username;Smtp--Credentials--Password"
keyvaultobjectaliases: "ServiceBus__AsbConnectionString;ServiceBus__DataBusConnectionString;PushNotificationHubs__MijnFloriusApp__keyname;PushNotificationHubs__MijnFloriusApp__keyvalue;PushNotificationHubs__FanApp__keyname;PushNotificationHubs__FanApp__keyvalue;Smtp__Credentials__Username;Smtp__Credentials__Password"
keyvaultobjecttypes: "secret;secret;secret;secret;secret;secret;secret;secret"

(I need objectaliases because of requirements of the .NET configuration system)

A default for type would be nice too: secret. If you have different type of secrets, you could simply add another volume.

[kwaazaar]

A format similar to this would be nice and allows easier migration in the future: https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/master/test/bats/tests/azure_v1alpha1_secretproviderclass.yaml

parameters:
    usePodIdentity: "false"         # [OPTIONAL] if not provided, will default to "false"
    keyvaultName: "$KEYVAULT_NAME" # the name of the KeyVault
    objects: |
      array:
        - |
          objectName: $SECRET_NAME
          objectType: secret        # object types: secret, key or cert
          objectVersion: $SECRET_VERSION         # [OPTIONAL] object versions, default to latest if empty
        - |
          objectName: $KEY_NAME
          objectType: key
          objectVersion: $KEY_VERSION

[ritazh]

Thanks for the feedback @jmspring!

@kwaazaar https://github.com/kubernetes-sigs/secrets-store-csi-driver is the next generation of this flexvol solution/repo. Please start using the secrets store csi driver as this solution will slowly be deprecated.

[kwaazaar]

@kwaazaar https://github.com/kubernetes-sigs/secrets-store-csi-driver is the next generation of this flexvol solution/repo. Please start using the secrets store csi driver as this solution will slowly be deprecated.

You should mention this in the readme! I accidentally found the CSI driver solution, but it deserves a prominent place on the front page.