Closed thomaseyde closed 5 years ago
@thomaseyde can you please provide an example of the name of the object in Azure Key Vault, what you expect to see in the container and what this solution has produced?
If I understand correctly, it sounds like we are creating the file with the name of the key vault object, which is not what your application expects. Is that correct?
Given two secrets in Azure Key Vault, named Key
and Structured--Key
, and the volume mounted to /kv
, I expect two files in /kv
, named Key
and Structured__Key
.
That is, all double-dashes (--
)in Key Vault names are replaced with double underscores (__
).
This solution produces two files with names unchanged, Key
and Structured--Key
. And that last name is not recognized by configuration providers in .NET to be structured, and will not be mapped into an object like this:
class Structured
{
public string Key { get; set; }
}
@thomaseyde Thanks for the details. For this scenario, the recommendation is to make a copy of the file from inside the container to the desired filename. For example cp /kvmnt/Structured--Key Structured__Key
. This solution is agnostic to platforms as it mounts the content exactly as it's stored in key vault. Once the file is mount to your container, your application can process it as needed.
I can appreciate the desire to be agnostic, still I hope you will reconsider and find a solution to the problem.
Given that Azure Key Vault is not meant only for .NET developers, you have no choice but to be platform agnostic. This means the default behavior should be as it is.
But, from a .NET developer's perspective, it's expected that the mounted volume contains usable filenames so we can load the configuration using the typical tools provided in .NET.
It would be awkward to have to rename all files in the mounted volume before loading them. That would require inconvenient boilerplate for all configurations where none were required. It's also not the idiomatic way to load configuration values.
The best thing, of course, would be to have usable names from the start. But when that's not possible, having the provider fix this would be next best.
I can't believe it would be that hard to add an additional parameter to replace --
with __
. Even better, let us specify what to replace and what with.
It is a valid request. Specially valid for applications that are migrating to Kubernetes. One way of doing this, is to maintain the current behavior and provide a parameter to do the replacement needed (maybe a reg exp?)
That's right. The alias
feature should satisfy this request, where the values inkeyvaultobjectalias
will be the mounted file names.
For example:
flexVolume:
driver: "azure/kv"
secretRef:
name: kvcreds # mounting point to the pod
options:
usepodidentity: "false"
keyvaultname: "testkeyvault"
keyvaultobjectnames: "test--secret1;test--secret2"
keyvaultobjecttypes: secret;secret # OPTIONS: secret, key, cert
keyvaultobjectversions: "testversion1;testversion2"
keyvaultobjectalias: "test__secret1;test__secret2"
resourcegroup: "testresourcegroup"
subscriptionid: "testsub"
tenantid: "testtenant"
That would work. But the syntax will be clumsy for many values. Also, if a value doesn't have an alias, what do one write? And when something goes wrong, it's hard to match alias and type to the object name.
Can't the above be written something like:
flexVolume:
driver: "azure/kv"
secretRef:
name: kvcreds # mounting point to the pod
options:
usepodidentity: "false"
keyvaultname: "testkeyvault"
secrets:
- test--secret1;test__secret1 # with alias
- test--secret2;test__secret2 # with alias
- secret3 # no alias
# keys: # same syntax as secrets
# certs: # same syntax as secrets
resourcegroup: "testresourcegroup"
subscriptionid: "testsub"
tenantid: "testtenant"
The .NET convention for structured keys is using underscores where json or other structured format is not available, like environment variable names and, in this case, file names.
For some reason, Azure Key Vault doesn't allow underscores in key names, so dashes are used instead. And the logical thing is to use the
KeyPerFileConfigurationProvider
and callconfig.AddKeyPerFile("/kv")
to load all values. But this provides doesn't handle double dashes.It would be stupid to write yet another configuration provider to handle this, and when the convention is established, the FlexVolume provider should replace double dashes with double underscores. Or provide a variable to specify the delimiter.