search

GoogleCloudPlatform / secrets-store-csi-driver-provider-gcp

Google Secret Manager provider for the Secret Store CSI Driver.
Apache License 2.0
242 stars 64 forks source link

Mount key values from json/yaml secret files #169

Open splasharun opened 2 years ago

splasharun commented 2 years ago

Hi, is there any way now where I can directly mount key values from a json/yaml file as individual objects? I guess this will be helpful when mounting values to k8s secrets.

The options that I have right now are

  1. To hold individual values in my gsm secret and consume that.
  2. Mount a whole json file inside the pod and parse the key values using some postStart script.

I was wondering if there was any straightforward way to do this. In other providers(aws) I've seen them use jmespath to get values from json files, can we do something similar. 

- resourceName: "projects/$PROJECT_ID/secrets/secret"
  path: "secret.json"
  keys:
    - keyPath: "key_0.key_1"      //jmespath
      alias: "key1"               //name/path to be mounted

I guess we can extend this for tls certificates and other usecases too. Also, I'd be happy to contribute to this. Thanks.

tam7t commented 2 years ago

Sorry for delay response. I'm not sure I understand your example yaml there. The path parameter is the relative file path within the mount where you want data to be written.

Considering a secret in secret manager with the contents:

{
  "key_0": {
    "key_1": "my super secret"
  }
}

You're looking to have the result of the SecretProviderClass be a file on disk at <mount path>/key1 with contents my super secret, is that the case?

If so I think we'd want to make the format a bit more like:

- resourceName: "projects/$PROJECT_ID/secrets/secret/versions/latest"
  path: "key1"
  extract:
    jsonpath: ".key_0.key_1"

This would leave open the possibility of different types of extraction methods depending on the format of the secret (i.e. xml values, yaml secret, etc) and match the current semantics of path meaning the location to write data.

A downside with this may be that to extract/map multiple keys from a secret to separate files would involve a lot of repetition.

- resourceName: "projects/$PROJECT_ID/secrets/secret/versions/latest"
  path: "cert.pem"
  extract:
    jsonpath: ".cert"
- resourceName: "projects/$PROJECT_ID/secrets/secret/versions/latest"
  path: "key.pem"
  extract:
    jsonpath: ".key'"

Maybe something with:

- resourceName: "projects/$PROJECT_ID/secrets/secret/versions/latest"
  extract:
  - jsonpath: ".cert"
    path: "cert.pem"
  - jsonpath: "key.pem"
    path: "key.pem"

where the top level path is left empty when an extract is used, and the format of the extract is a tuple of where in the content json to extra data and the file path to write it to, and allow multiple extract operations.

Am I understanding this request correctly?

tam7t commented 2 years ago

Thinking about it now, I believe we had some talk in the community call a few weeks ago about splitting out the jsonpath functionality of https://github.com/kubernetes-sigs/secrets-store-csi-driver/pull/820 from the secret syncing. If that was done then it may address this feature request without changes to the provider.

cc @manedurphy

vitordeap commented 1 year ago

Upvote!! Please, this will be amazing to have

UPDATE: Just found out about #963