search

GoogleCloudPlatform / secrets-store-csi-driver-provider-gcp

Google Secret Manager provider for the Secret Store CSI Driver.
Apache License 2.0
241 stars 63 forks source link

Extract JSON key-value pairs from secrets #229

Open vitordeap opened 1 year ago

vitordeap commented 1 year ago

TL;DR

Some secrets are stored with multiple properties (JSON structure, e.g. {"user":"user","password":"password"}. This feature would bring the ability of mounting secrets and extract the properties individually.

Design

Proposal The existing structure for a secret object could have another property (array), such as extractKey. The file would be saved only with the value of the extracted key (e.g. only the password value). This would be an initial version just to enable this feature, in the future this can be improved by using multiple keys and maybe manipulating the JSON.

Example:

spec:
  provider: gcp
  parameters:
    secrets: |
      - resourceName: projects/<project_id>/secrets/<secret_name>/versions/<version>
         path: <filepath>
         extractKey: <my_json_key_to_be_extracted>

Alternatives considered Today, we solve this by running bash scripts in the pods where the files were mounted, not a very nice design.

Resources Other providers have this implementation, examples below: AWS, check for the jmesPath field description. Hashicorp Vault, check for the secretKey field description

Additional information This will empower the provider to be used alongside other technologies, since the secrets can be used directly with config files easily. We intend to use this feature with prometheus, grafana, rabbitmq, etc.

pragativ-splunk commented 3 months ago

Any traction on a solution for this issue? We are trying to use something similar but unable to parse json credentials through csi

RuiSMagalhaes commented 3 weeks ago

no news @vitordeap ?