Feature request - support multiple Secrets injection

[AmitBaranes]

As much as I can tell, Currently, We can inject one secret only using secrets.k8s.aws/secret-arn . Would be nice to inject multiple secrets into a given pod.

[jicowan]

That's right. There is a fork of this project that supports multiple secrets.

[AmitBaranes]

Thanks for the fast response!

Would you mind sharing it? Any estimation time on when this change will be merged?

[jicowan]

See the aws-samples:multi-secret branch. There are no plans to merge it at the moment.

[themattkeating]

It's quite a fundamental bit of functionality :"requesting more than one secret". I've been testing the multi-secret branch. Bit of a faff trying to get things working, due to the gitpages.io repo not serving the updated charts.

[divyangjp]

How to get helm chart for multi-secret branch!

[devopsmash]

This Feature is really important in case of injecting my certificate and my key to my nginx pod

[adriantaut]

wonderful and easy to use tool, but indeed, a multi-secret feature would help a lot

[bjethwan]

See the aws-samples:multi-secret branch. There are no plans to merge it at the moment.

@jicowan I am using this project in production. And it's often asked to support multiple secrets. So I was wondering as to why wouldn't you support/merge the muti-secret fork?

[adriantaut]

@bjethwan I think it might be related with the recommendation to use the just release ASCP project, as describe in this project's README.

https://aws.amazon.com/blogs/security/how-to-use-aws-secrets-configuration-provider-with-kubernetes-secrets-store-csi-driver/

You can give it a try, it seems to work just fine within our EKS implementation

[bjethwan]

@adriantaut CSI driver is cool (I was in loop with CSI driver pm team) but it doesn't fit the design of my k8s based platform. Further, the cost ($) of the poll-based rotation-reconciler is bothering.

[adriantaut]

@bjethwan ah ok, wondering why it does not fit it. I think you can disable the reconciler

[jicowan]

@bjethwan @adriantaut The cost of polling is pretty negligible ($0.05 per 10,000 API calls) and you can configure the polling interval or disable it all together. We are not supporting the multi-secret branch because it is a complete re-write of the sidecar/admission controller and we're not prepared to support it. We were hoping the contributor would maintain it, but that has not come to pass.

[AmitBaranes]

We ended up writing our own service to support this request, I can share the source code if interested.

[adriantaut]

We ended up writing our own service to support this request, I can share the source code if interested.

sure @AmitBaranes I would be interested

[KyMidd]

We ended up writing our own service to support this request, I can share the source code if interested.

@AmitBaranes - Also interested, looking at keeping secrets out of k8s "secrets" objects, but still utilize k8s IRSA