sealed-secrets icon indicating copy to clipboard operation
sealed-secrets copied to clipboard

Published 20 hours ago verified publisher icon bitnami-labs

Configurable template delimeters

Open paulfantom opened this issue 4 years ago • 9 comments

First of all, thank you so much for this project and for adding https://github.com/bitnami-labs/sealed-secrets/pull/580 in the latest release! This allowed me to remove my dependency on ConfigMapSecret and use only SealedSecrets instead!

I do have one issue with configuration files that contain golang-based templates (mainly alertmanager configuration like this one). Would it be possible to either use non-default delimiters for injecting secret into larger config? Or maybe it would be possible to allow configuring delimiters and allowing something different than the default {{ and }}?

Just to note, there is an option for this in the standard library: https://golang.org/pkg/text/template/#Template.Delims

paulfantom avatar May 11 '21 13:05 paulfantom

I would love to see this feature too. In my argo cd workflow based on helm charts, helm tries to template the secret with its own var from values.yaml.

Brice187 avatar Jul 01 '21 11:07 Brice187

For helm you should be able to escape the braces with

{{` .... `}}

I.e.

{{`{{ .... }}`}}

mkmik avatar Jul 01 '21 11:07 mkmik

Thank you:

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  creationTimestamp: null
  name: database-secret
  namespace: example
spec:
  encryptedData:
    database: AgDPzcj2qyo+BkJfNgX5rXLVqdG/nBuIPtlM7cTHMKHIfubY6XYXzSILCNv1EBRl5gNfbYLnRYGHLh//KDvsra7HzWvy1z4B1YPNLwngVXEYMg4Eo2Efn4CUyyY5EUAUnhe19Bi+P5CQ5+vqC2J+NDnrlUdP25r1bQko/UhaMINNMDx/fXmQpaDLSvsCA8lQsUeU8RsvUWtnVQRsjok9owxF45XBmuNjzX0fQljwlEr2pkB8E2pEzBAGrELs3nZNeRnE7EQsYqobEpHrGfdvqSSJqp7wig+Wu+x90ZkWBrJSe3x5+ZHQso9MRmjfq6WoKj2JANDmXxEmO34ukP1NuR57DJkkTQo+YcPOCaLPBB/CmLGzG/jc9R4nMeDrbmUkO00wNZSMMpflh0ey61RQURRPuDywzcORR9xPiiU2524gEnPhu1dNTdvtEdrfWVZrl0I0lAuyFs8RZnXwD32YddSP27+x0QCIUfbIVQWmRXfdNxUeGAsMuRHKH/L+97T+Z29U/mJDNo/R2ymYjH9IjJrPYitl1fZT3jsa+oIoLLa8OmjftCJgOeG04JU5pHLVMUFbC9Oi0GogaXKdlUUFkgj2YnGDKicx/1jjQ6W8jTXu9hfpLWMWb4E2LcJ85OUsdpOzzN+H/UGISzQuEckYPz/QibgckhO9i8IXx2IIeyxWe83u9IK2+jY3EsUFb0ifwMCJ5+nQAoWwXi1v1vmhUcJsYePGAzBUWa9QwAmVNkcvzkg3tk6JjCFg
  template:
    data:
      db-example.conf: |
        DBHOST = 10.0.0.1
        DBPORT = 5432
        DBNAME = exampledb
        DBUSER = example
        DBPASS = '{{`{{ index . "database" }}`}}'
    metadata:
      creationTimestamp: null
      name: database-secret
      namespace: example

Works like a charm!

Brice187 avatar Jul 01 '21 16:07 Brice187

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

github-actions[bot] avatar Jan 28 '22 01:01 github-actions[bot]

/refresh

paulfantom avatar Jan 31 '22 21:01 paulfantom

@paulfantom could you please make a proposal for how would you envision the configuration of the delimiters to look like?

mkmik avatar Feb 01 '22 09:02 mkmik

Upvoting this too - would be REALLY useful - for when you have configs that are large (but uses {{ .. ) - and it needs a few secrets inside it.

KlavsKlavsen avatar Feb 02 '22 11:02 KlavsKlavsen

@mkmik I think the most flexible would be to extend SealedSecrets CRD by adding the following:

spec:
  delimeters:
    right: ""
    left: ""

or

spec:
  template:
    delimeters:
      right: ""
      left: ""

Then controller can pick this and use those strings as part of func (t *Template) Delims(left, right string) function before running Parse() in https://github.com/bitnami-labs/sealed-secrets/blob/main/pkg/apis/sealed-secrets/v1alpha1/sealedsecret_expansion.go#L288.

While writing how to do this I figured it should be fairly simple change, so if you agree on the path described above, I can create a PR :)

paulfantom avatar Feb 02 '22 12:02 paulfantom

I like

spec:
  template:
    delimeters:
      right: ""
      left: "

mkmik avatar Feb 02 '22 12:02 mkmik