secrets-store-csi-driver-provider-azure
secrets-store-csi-driver-provider-azure copied to clipboard
Azure
Provide more native configuration for secrets/keys in SecretProviderClass
Describe the solution you'd like
The current configuration feels a bit odd with the objects.array which is a mix of secrets & keys.
Example from README:
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: azure-kvname
spec:
provider: azure
parameters:
usePodIdentity: "false" # [OPTIONAL for Azure] if not provided, will default to "false"
useVMManagedIdentity: "false" # [OPTIONAL available for version > 0.0.4] if not provided, will default to "false"
userAssignedIdentityID: "client_id" # [OPTIONAL available for version > 0.0.4] use the client id to specify which user assigned managed identity to use. If using a user assigned identity as the VM's managed identity, then specify the identity's client id. If empty, then defaults to use the system assigned identity on the VM
keyvaultName: "kvname" # the name of the KeyVault
cloudName: "" # [OPTIONAL available for version > 0.0.4] if not provided, azure environment will default to AzurePublicCloud
objects: |
array:
- |
objectName: secret1
objectAlias: SECRET_1 # [OPTIONAL available for version > 0.0.4] object alias
objectType: secret # object types: secret, key or cert
objectVersion: "" # [OPTIONAL] object versions, default to latest if empty
- |
objectName: key1
objectAlias: ""
objectType: key
objectVersion: ""
resourceGroup: "rg1" # [REQUIRED for version < 0.0.4] the resource group of the KeyVault
subscriptionId: "s
While it would feel more natural to be able to use this approach:
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: azure-kvname
spec:
provider: azure
parameters:
usePodIdentity: "false" # [OPTIONAL for Azure] if not provided, will default to "false"
useVMManagedIdentity: "false" # [OPTIONAL available for version > 0.0.4] if not provided, will default to "false"
userAssignedIdentityID: "client_id" # [OPTIONAL available for version > 0.0.4] use the client id to specify which user assigned managed identity to use. If using a user assigned identity as the VM's managed identity, then specify the identity's client id. If empty, then defaults to use the system assigned identity on the VM
keyvaultName: "kvname" # the name of the KeyVault
cloudName: "" # [OPTIONAL available for version > 0.0.4] if not provided, azure environment will default to AzurePublicCloud
secrets:
- name: secret1
alias: SECRET_1
version: ""
keys:
- keys: key1
alias: KEY_1
version: ""
resourceGroup: "rg1" # [REQUIRED for version < 0.0.4] the resource group of the KeyVault
subscriptionId: "s
Anything else you would like to add: I'm not an expert in Kubernetes extensibility so it might be because of a technical limitation, but I would prefer the above proposal which is cleaner for people who are new to it.
you can't duplicate "secrets:" key. that's how arrays work in yaml, looks at "container" behavior. but I do agree, key names are not obvious
Sorry, it was a copy paste mistake - I've updated the sample to use keys instead
Is there any way to consume all secrets/keys from a Key Vault? I think the solution where you need to specify secrets/keys one by one is not very viable.
Implementing the proposed format would also make kustomize manipulation possible.
Stumbled-upon same issue when using Kustomize. No way to patch the array of secrets. Would be awesome to have something like the proposed structure in place since it is similar to the approach taken for populating K8s secrets from KeyVault (cf. Azure docs)
