aws-secret-sidecar-injector icon indicating copy to clipboard operation
aws-secret-sidecar-injector copied to clipboard

Published 20 hours ago verified publisher icon aws-samples

Feature request - support multiple Secrets injection

Open AmitBaranes opened this issue 3 years ago • 15 comments

As much as I can tell, Currently, We can inject one secret only using secrets.k8s.aws/secret-arn . Would be nice to inject multiple secrets into a given pod.

AmitBaranes avatar Feb 18 '21 15:02 AmitBaranes

That's right. There is a fork of this project that supports multiple secrets.

jicowan avatar Feb 19 '21 16:02 jicowan

Thanks for the fast response!

Would you mind sharing it? Any estimation time on when this change will be merged?

AmitBaranes avatar Feb 20 '21 16:02 AmitBaranes

See the aws-samples:multi-secret branch. There are no plans to merge it at the moment.

jicowan avatar Mar 02 '21 16:03 jicowan

It's quite a fundamental bit of functionality :"requesting more than one secret". I've been testing the multi-secret branch. Bit of a faff trying to get things working, due to the gitpages.io repo not serving the updated charts.

themattkeating avatar Mar 10 '21 09:03 themattkeating

How to get helm chart for multi-secret branch!

divyangjp avatar Mar 20 '21 10:03 divyangjp

This Feature is really important in case of injecting my certificate and my key to my nginx pod

devopsmash avatar Apr 13 '21 06:04 devopsmash

wonderful and easy to use tool, but indeed, a multi-secret feature would help a lot

adriantaut avatar Apr 22 '21 12:04 adriantaut

See the aws-samples:multi-secret branch. There are no plans to merge it at the moment.

@jicowan I am using this project in production. And it's often asked to support multiple secrets. So I was wondering as to why wouldn't you support/merge the muti-secret fork?

bjethwan avatar Apr 29 '21 06:04 bjethwan

@bjethwan I think it might be related with the recommendation to use the just release ASCP project, as describe in this project's README.

https://aws.amazon.com/blogs/security/how-to-use-aws-secrets-configuration-provider-with-kubernetes-secrets-store-csi-driver/

You can give it a try, it seems to work just fine within our EKS implementation

adriantaut avatar Apr 29 '21 08:04 adriantaut

@adriantaut CSI driver is cool (I was in loop with CSI driver pm team) but it doesn't fit the design of my k8s based platform. Further, the cost ($) of the poll-based rotation-reconciler is bothering.

bjethwan avatar Apr 29 '21 13:04 bjethwan

@bjethwan ah ok, wondering why it does not fit it. I think you can disable the reconciler

adriantaut avatar Apr 29 '21 14:04 adriantaut

@bjethwan @adriantaut The cost of polling is pretty negligible ($0.05 per 10,000 API calls) and you can configure the polling interval or disable it all together. We are not supporting the multi-secret branch because it is a complete re-write of the sidecar/admission controller and we're not prepared to support it. We were hoping the contributor would maintain it, but that has not come to pass.

jicowan avatar Apr 29 '21 16:04 jicowan

We ended up writing our own service to support this request, I can share the source code if interested.

AmitBaranes avatar Jun 21 '21 09:06 AmitBaranes

We ended up writing our own service to support this request, I can share the source code if interested.

sure @AmitBaranes I would be interested

adriantaut avatar Jun 22 '21 06:06 adriantaut

We ended up writing our own service to support this request, I can share the source code if interested.

@AmitBaranes - Also interested, looking at keeping secrets out of k8s "secrets" objects, but still utilize k8s IRSA

KyMidd avatar Jul 25 '22 16:07 KyMidd