ContainerSolutions / externalsecret-operator

An operator to fetch secrets from cloud services and inject them in Kubernetes
Apache License 2.0
189 stars 28 forks source link

Support different formats/templates for secret targets #127

Open knelasevero opened 3 years ago

knelasevero commented 3 years ago

Describe the solution you'd like Having the ability to define a template to be used to produce a specific type of secret. Like:

Builtin Type Usage
Opaque arbitrary user-defined data
kubernetes.io/service-account-token service account token
kubernetes.io/dockercfg serialized ~/.dockercfg file
kubernetes.io/dockerconfigjson serialized ~/.docker/config.json file
kubernetes.io/basic-auth credentials for basic authentication
kubernetes.io/ssh-auth credentials for SSH authentication
kubernetes.io/tls data for a TLS client or server
bootstrap.kubernetes.io/token bootstrap token data

What is the added value? More flexibility with the generated secrets. Users can just use what aligns with their use case.

Give us examples of the outcome

This comes from the common CRD proposal as well so it would be defined like this in the ExternalSecret:

  target:
    name: my-secret
    template:
      type: kubernetes.io/TLS
  data:
    tls.crt:
      key: /corp.org/dev/certs/ingress
      property: pubcert
      version: latest
    tls.key:
      key: /corp.org/dev/certs/ingress
      property: privkey
      version: latest

This would generate:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: kubernetes.io/tls
data:
  # the data is abbreviated in this example
  tls.crt: |
    MIIC2DCCAcCgAwIBAgIBATANBgkqh ...
  tls.key: |
    MIIEpgIBAAKCAQEA7yn3bRHQ5FHMQ ...

Observations (Constraints, Context, etc):