search

Azure / kubernetes-keyvault-flexvol

Azure keyvault integration with Kubernetes via a Flex Volume
MIT License
253 stars 83 forks source link

Filename transformation support #177

Closed kwaazaar closed 4 years ago

kwaazaar commented 4 years ago

Describe the request Key Vault itself has limitations on the secret names. The name of the KV-secret is also used as the filename they are stored on the flexvol volume. This becomes a problem when the consuming application expects a certain naming convention, eg a configuration system.

Explain why Key Vault FlexVolume needs it I use the .NET Core configuration system. Imagine this json config:

{
  "ServicebusConfig": {
     "ConnString": "secret",
     "OtherSetting": "not-secret"
  }
}

To override the connectionstring, I can provide a value with this name: "ServicebusConfig__ConnString". I currently use environment variables to override this setting, but would would like to use the KeyPerFile provider. This provider takes the filename as the keyname. This means on disk, this secrets should have exactly that name. Since flexvol uses the KV-keyname as the filename this is a problem, since in Key Vault I'm not allowed to use that as a key name (only alphanumeric characters and dashes).

Describe the solution you'd like Allow me to specify the KV-keyname AND the filename I need. This can be optional. So maybe something like this:

keyvaultobjectnames: "ServicebusConnectionString(ServicebusConfig__ConnString)"

Another solution would be to always replace double-dashes ("--") with "__". That would not require any config changes, but may cause unexpected behaviour for some people.

Describe alternatives you've considered Have the KeyPerFile extension for .NET Core support these transformations. But I think it should stay clean as it is.

Additional context

kwaazaar commented 4 years ago

So I just found the keyvaultobjectaliases property :-D