secrets-store-csi-driver-provider-azure icon indicating copy to clipboard operation
secrets-store-csi-driver-provider-azure copied to clipboard

Published 20 hours ago verified publisher icon Azure

Format of the spec:parameters:objects string in SecretProviderClass for Azure

Open sebafo opened this issue 1 year ago • 0 comments

The way how you need to format the string for the objects you want to read from a KeyVault is very confusing. I know that you have to provide a string because of the CRD specification, answered already here (https://github.com/Azure/secrets-store-csi-driver-provider-azure/issues/155)

But if I compare Azure and AWS it is easier to create a SecretProviderClass in AWS.

In AWS: https://github.com/aws/secrets-store-csi-driver-provider-aws#secretproviderclass-options

  parameters:
    objects: |
        - objectName: "MySecret"
          objectType: "secretsmanager"

In Azure:

parameters:
    objects:  |
      array:
        - |
          objectName: secret1
          objectAlias: SECRET_1  
          objectType: secret

The result is, that it is much easier to create this file (manually and especially automatically - e.g. with HCL)

In AWS:

spec = {
      provider = "aws"
      parameters = {
        objects = yamlencode([
          {
            objectName  = aws_secretsmanager_secret.sensitive.id
            objectType  = "secretsmanager"
            objectAlias = "sensitive"
          }
        ])
      }

In Azure:

spec = {
    provider = "azure"
    parameters = {
        objects = <<EOF
          array:
            - |
              objectName: ${var.ingress_cert_name}
              objectType: secret
        EOF
      }

If I want to build this even more generic, I can simply iterate through a list in the AWS way. For Azure, I need to use weird templates.

Why is it implemented that way for Azure? Can this be improved?

sebafo avatar Apr 14 '23 11:04 sebafo