Open Constantin07 opened 1 year ago
Hi constantin07 - could you provide a bit more information on the use case and the library that you're using to auto-reload yaml
files?
Hi @jbct We managed to use the JSON format so this feature request can be closed.
EDIT : Sorry my comment is a duplicate of this issue https://github.com/aws/secrets-store-csi-driver-provider-aws/issues/46
Hi there, I would like to add another usecase for using YAML format that could be very useful IMO.
When using a Secret with key-value pairs in AWS Secrets Manager, if you sync it to a K8S Secret, you get a JSON string at the moment. Now if I want to create en env var for each key-value pair in my Secret, I have to do it manually using jmesPath
in my SecretProviderClass
and declare each one in spec.secretObjects[].data
.
Here's an example of what I have to do today:
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: test-secret-class
namespace: test-secret
spec:
provider: aws
secretObjects:
- secretName: test-secret
type: Opaque
data:
- objectName: "secret-username"
key: USER
- objectName: "secret-password"
key: PASS
parameters:
objects: |
- objectName: "MySecret"
objectType: "secretsmanager"
jmesPath:
- path: username
objectAlias: "secret-username"
- path: password
objectAlias: "secret-password"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-secret-deployment
namespace: test-secret
labels:
app: test-secret-app
spec:
replicas: 2
selector:
matchLabels:
app: test-secret-app
template:
metadata:
labels:
app: test-secret-app
spec:
serviceAccountName: secrets-store-csi-sa
volumes:
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "test-secret-class"
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
envFrom:
- secretRef:
name: "test-secret"
volumeMounts:
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
readOnly: true
If the secret could be directly created in YAML format, I wouldn't need to use the jmesPath
nor the data array in my SecretProviderClass
.
What do you guys think? Cheers.
At the moment the secrets are stored in JSON format. It would be nice to add support for YAML format, may be something like
objectFormat
Reason: We want to support auto-reload in Java app when secret is updated in AWS Secrets Manager. It works with
yaml
secrets file but doesn't work withjson
. Another reason is that we would like to avoid writing our own implementation in Java but rather use what is already supported and working.