secrets-provider-for-k8s icon indicating copy to clipboard operation
secrets-provider-for-k8s copied to clipboard

Published 20 hours ago verified publisher icon cyberark

Secrets Provider Controller/MutatingAdmissionWebhook

Open tomcruise81 opened this issue 4 years ago • 3 comments
trafficstars

Is your feature request related to a problem? Please describe.

I would like to see a Secrets Provider MutatingAdmissionWebhook/Controller that processes all Secrets in a given Namespace. If the Secret contains Conjur-specific attributes/annotations, it could automatically handle retrieving those secret's values from Conjur. The Controller portion would be necessary to handle updates to those Secrets based on changes on the Conjur side. We're looking for this because creating CronJobs for potentially many Secrets (due to #236) in a given Namespace could become unruly very fast, and it allows for more of a single configuration point.

Describe the solution you would like

This is inspired by how the cert-manager Issuer works.

The idea would be to:

  1. Have a CRD or configuration to enable a Namespace-level Secrets Provider. This would be where you'd configure:
    account: my-conjur-account
    applianceUrl: https://conjur-oss.cyberark.svc.cluster.local
    authnUrl: https://conjur-oss.cyberark.svc.cluster.local/authn-k8s/<authenticator-id>
    authnLogin:  host/conjur/authn-k8s/<authenticator-id>/apps/secrets-provider-host
    sslCertificate: ...
  1. The Namespace-level Secrets Provider would observe:
    1. Existing Secrets - and periodically query Conjur (or register a webhook or something similar) for updated values that'd get propagated into the existing Secrets
    2. Handle incoming Secrets as they are introduced into the Namespace, by processing them should they contain the conjur-map section, or potentially some additional attributes. Alternatively, this could be based on a new CRD that get's transformed through this process into a Kubernetes Secret

tomcruise81 avatar Apr 08 '21 19:04 tomcruise81

Hi @tomcruise81 Thanks for submitting this enhancement! We will take a look at this request. If you want to submit a PR for this, please see the Contributors Guild

rpothier avatar Apr 09 '21 21:04 rpothier

An alternative might be to create a provider for https://github.com/external-secrets/kubernetes-external-secrets and allow it to do most if not all of what I've described above.

Presumably, during the namespaced-installation of that tool,

    account: my-conjur-account
    applianceUrl: https://conjur-oss.cyberark.svc.cluster.local
    authnUrl: https://conjur-oss.cyberark.svc.cluster.local/authn-k8s/<authenticator-id>
    authnLogin:  host/conjur/authn-k8s/<authenticator-id>/apps/secrets-provider-host
    sslCertificate: ...

could all be provided

tomcruise81 avatar Apr 14 '21 12:04 tomcruise81

https://github.com/external-secrets/kubernetes-external-secrets was deprecated in favor of it's re-write - https://github.com/external-secrets/external-secrets. That currently supports:

Any plans on creating a provider there?

Thanks!

tomcruise81 avatar Mar 17 '22 14:03 tomcruise81

We now support External Secrets Operator - see https://external-secrets.io/latest/provider/conjur/

szh avatar Feb 07 '25 16:02 szh