search

aws / secrets-store-csi-driver-provider-aws

The AWS provider for the Secrets Store CSI Driver allows you to fetch secrets from AWS Secrets Manager and AWS Systems Manager Parameter Store, and mount them into Kubernetes pods.
Apache License 2.0
459 stars 130 forks source link

Store the secrets in mounted file as YAML instead of JSON format #199

Open Constantin07 opened 1 year ago

Constantin07 commented 1 year ago

At the moment the secrets are stored in JSON format. It would be nice to add support for YAML format, may be something like objectFormat

Reason: We want to support auto-reload in Java app when secret is updated in AWS Secrets Manager. It works with yaml secrets file but doesn't work with json. Another reason is that we would like to avoid writing our own implementation in Java but rather use what is already supported and working.

jbct commented 1 year ago

Hi constantin07 - could you provide a bit more information on the use case and the library that you're using to auto-reload yaml files?

cbugneac-nex commented 1 year ago

Hi @jbct We managed to use the JSON format so this feature request can be closed.

tmartin commented 11 months ago

EDIT : Sorry my comment is a duplicate of this issue https://github.com/aws/secrets-store-csi-driver-provider-aws/issues/46

Hi there, I would like to add another usecase for using YAML format that could be very useful IMO.

When using a Secret with key-value pairs in AWS Secrets Manager, if you sync it to a K8S Secret, you get a JSON string at the moment. Now if I want to create en env var for each key-value pair in my Secret, I have to do it manually using jmesPath in my SecretProviderClass and declare each one in spec.secretObjects[].data.

Here's an example of what I have to do today:

---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: test-secret-class
  namespace: test-secret
spec:
  provider: aws
  secretObjects:
    - secretName: test-secret
      type: Opaque
      data:
        - objectName: "secret-username"
          key: USER
        - objectName: "secret-password"
          key: PASS
  parameters:
    objects: |
      - objectName: "MySecret"
        objectType: "secretsmanager"
        jmesPath: 
          - path: username
            objectAlias: "secret-username"
          - path: password
            objectAlias: "secret-password"
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-secret-deployment
  namespace: test-secret
  labels:
    app: test-secret-app
spec:
  replicas: 2
  selector:
    matchLabels:
      app: test-secret-app
  template:
    metadata:
      labels:
        app: test-secret-app
    spec:
      serviceAccountName: secrets-store-csi-sa
      volumes:
      - name: secrets-store-inline
        csi:
          driver: secrets-store.csi.k8s.io
          readOnly: true
          volumeAttributes:
            secretProviderClass: "test-secret-class"
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80
        envFrom:
        - secretRef:
            name: "test-secret"
        volumeMounts:
        - name: secrets-store-inline
          mountPath: "/mnt/secrets-store"
          readOnly: true

If the secret could be directly created in YAML format, I wouldn't need to use the jmesPath nor the data array in my SecretProviderClass.

What do you guys think? Cheers.