garden icon indicating copy to clipboard operation
garden copied to clipboard

Published 20 hours ago verified publisher icon garden-io

[FEATURE]: Ability to perform UPSERT garden secrets

Open pbabbott opened this issue 3 years ago • 1 comments

Feature Request

Background / Motivation

At our company, we have a strict policy that secrets must be provisioned into an Azure Key Vault (AKV). We found alignment with our security team that secrets can be synchronized from AKV into garden enterprise secrets. So, our team has constructed a way to read all secrets from AKV and execute garden cloud secrets create [secrets] for each secret to obtain parity.

Unfortunately, now when a secret changes (as in the case of a password rotation), our Azure Key Vault is updated, but the only way to update the corresponding secret in garden enterprise is to manually delete it, and then re-create it. This has rendered our synchronization routine useless.

What should the user be able to do?

garden cloud secrets set [secret_name]=[secret_value]

This command should update a secret, and if it doesn't exist, it should create it. Effectively, an "upsert."

Why do they want to do this? What problem does it solve?

This would allow us to synchronize secrets into garden secrets in an idempotent way. That is, being able to UPSERT a secret would allow us to load secrets en-masse and have everything in sync with external syste.

Suggested Implementation(s)

I could see this feature revealing itself in two ways:

  • As mentioned above, a way to use the command line to UPSERT secrets would be immensely helpful. I chose the word set as it felt more flexible than update and upsert sounded kind-of awkward.
  • On the garden enterprise secrets page, it would be nice to be able to click on a secret and be able to edit its value (this is not necessary for our team, but it does kind of fit in with this feature request).

How important is this feature for you/your team?

🌵 Not having this feature makes using Garden painful

We're able to get by with out it, as we can delete and re-create secrets, but it leads to situations where passwords are updated in one place, and not another, resulting in un-expected behavior.

pbabbott avatar Jul 29 '22 00:07 pbabbott

Thanks for reporting this! This feature requires some changes in Garden Cloud. We're going to look into this soon.

vvagaytsev avatar Aug 18 '22 09:08 vvagaytsev

This issue has been automatically marked as stale because it hasn't had any activity in 90 days. It will be closed in 14 days if no further activity occurs (e.g. changing labels, comments, commits, etc.). Please feel free to tag a maintainer and ask them to remove the label if you think it doesn't apply. Thank you for submitting this issue and helping make Garden a better product!

stale[bot] avatar Jan 07 '23 20:01 stale[bot]

This issue has been automatically marked as stale because it hasn't had any activity in 90 days. It will be closed in 14 days if no further activity occurs (e.g. changing labels, comments, commits, etc.). Please feel free to tag a maintainer and ask them to remove the label if you think it doesn't apply. Thank you for submitting this issue and helping make Garden a better product!

stale[bot] avatar May 21 '23 20:05 stale[bot]