Support for extracting JSON paths from a secret

[Garbett1]

Extracting JSON paths from secrets We use JSON strings in our secret and would like to be able to configure the SecretProviderClass to extract the value for a specific key.

There is prior art in both HashiCorp Vault and AWS Secret Manager (see jmesPath).

I'm happy to raise a PR to add this functionality, but want to confirm what approach to extract the key would be ideal.

HashiCorp Vault only allows specifying a key, while AWS allows an arbitrary path to extract. If I was to raise a PR adding this, which approach would be preferred? Specifying only the key is simpler but less flexible.

Environment:

• Secrets Store CSI Driver version: (use the image tag): v1.1.1+
• Azure Key Vault provider version: (use the image tag): v1.1.0+
• Kubernetes version: (use kubectl version): 1.21.0+
• Cluster type: (e.g. AKS, aks-engine, etc): AKS

[nilekhc]

Hi @Garbett1, Thanks for opening issue. Could you describe your approach? Also, PR is always welcome. We can review implementation there as well.

[Garbett1]

Hi @nilekhc ,

Given a secret of:

{
  "foo": "123",
  "bar": "456"
}

and a SecretProviderClass of:

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: azure-kvname-wi
spec:
  provider: azure
  parameters:
   # omitting other fields
    objects:  |
      array:
        - |
          objectName: example-secret
          objectType: secret
          jsonPath: 
              - path: foo
                objectAlias: fooThing
              - path: bar
                objectAlias: barThing

If I mounted the secret at /mnt/secrets-store, I'd expect to find two files. fooThing and barThing with the contents: 123 and 456 respectively.

[nilekhc]

Hey @Garbett1 We are going to discuss this in next community call on May 26th, 2022. I have added it in Agenda. Please feel free to join.

Details are here: https://docs.google.com/document/d/1q74nboAg0GSPcom3kLWCIoWg43Qg3mr306KNL58f2hg/edit?usp=sharing

[Garbett1]

I'll try to make it! I have another meeting around that time, so might not be possible to join.

[Garbett1]

I wasn't able to make it to the office hours. Do you know when the recording of the office hours will be uploaded?

[nilekhc]

I wasn't able to make it to the office hours. Do you know when the recording of the office hours will be uploaded?

It is usually available after the meeting. The link of it will be posted in #csi-secrets-store slack channel.

[jalvarado-it]

I'm also interested on this feature, I need it for a project so I have two questions

1. ¿There is an alternative?
2. ¿Where to start in order to create or modify the CSI provider driver?

[dhirschfeld]

I can't see this issue in the Roadmap so I just wanted to check if there are any plans to add this?

It would be very valuable for our workflows as we tend to store many secrets for an application in a JSON blob. Some of the secrets should be env vars so it would be very useful if I could extract those variables from the JSON and create a secret from them automatically.

[nilekhc]

@jesusalvb @dhirschfeld Let's discuss this requirement in the next community call. Could you attend the next one on 12/08?

https://docs.google.com/document/d/1q74nboAg0GSPcom3kLWCIoWg43Qg3mr306KNL58f2hg/edit#

[dhirschfeld]

Hi @nilekhc, Thanks for reaching out. 11am EST might be a bit tough as that's 2am here (AEST)!

I'm happy to answer any questions here, or in a discussion if that works?

[nilekhc]

Hi @nilekhc, Thanks for reaching out. 11am EST might be a bit tough as that's 2am here (AEST)!

I'm happy to answer any questions here, or in a discussion if that works?

I'll discuss this in the community call and update you here.

[enj]

If this feature was implemented, shouldn't it be completely generic and not at the driver level?

Also, this sounds like a good use case for CEL since that is what Kubernetes uses for CRD validation and admission policy (and plans to use for JWT claim extraction/validation).

[dhirschfeld]

Hello, happy New Year! I'm just circling back to check if there was any discussion of this issue on the community call?

I'm currently wanting to specify both the azurestorageaccountname and azurestorageaccountkey to map in an Azure Files volume (similar to https://github.com/Azure/secrets-store-csi-driver-provider-azure/issues/1009#issuecomment-1297991654).

Since you can't specify the name as static value it forces you to create two separate secrets in your Key Vault - one for the name of the account to use and one for the key. Having to create two separate secrets is a bit cumbersome/awkward and also introduces the possibility for bugs.

The secrets are associated and don't make sense individually - if someone changes the storage account but forgets to update the storage account name secret it won't work. It's less likely that someone will forget to update an associated secret if all related information is stored in a single Key Vault secret which is a JSON blob.

[nilekhc]

Hi @dhirschfeld We did discuss this in the community call. There is a PR out for this - https://github.com/kubernetes-sigs/secrets-store-csi-driver/pull/963

Keep an eye on this.

[dhirschfeld]

Thanks for the update and the link @nilekhc - I'll follow that PR!

[swati-delphix]

Any update of this change, I am thinking to use azure key vault which has json format secret and I am using azure csi to read it on pod using volume and mount including secrets which will expose as env on pod.

[bencat-sixense]

Hey there :) Still nothing about this...?

It's hard to manage hundred of secrets