way to combine synced secrets + static values in single k8s secret?

[parkedwards]

Question

While using SecretProviderClass to manage k8s secrets (in our case, we're syncing down GCP Secret Manager resources to k8s) - I have a need to create 1 k8s secret with multiple keys. Some keys will reference a GCP Secret Manager value, but some keys need to be static values

Is that possible at all?

Example:

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: my-secrets-provider
spec:
  provider: gcp
  secretObjects:
    - secretName: my-k8s-secret 
      type: Opaque
      data:
        - key: gcp-secret-key
          objectName: gcp-secret-manager-entry.txt
         - key: static-secret-key
          value: "something-static"

[damir-dezeljin]

May I kindly ask if this is possible? If not, what are the alternatives?

I'm using the CSI GCP Secret Manager to k8s Secrets sync driver for configuring ArgoCD resources such as repos, clusters, etc. Here are two examples that requires repetitively defining GCP SM secrets with static values:

module "secret-manager" {
  source     = "GoogleCloudPlatform/secret-manager/google"
  version    = "~> 0.1"
  project_id = var.argocd_project_id
  secrets = [
    {
      name                  = "argocd-repo0-url"
      automatic_replication = true
      secret_data           = "https://my-git-server.cloud/repo0"
    },
    {
      name                  = "argocd-repo0-name"
      automatic_replication = true
      secret_data           = "My Repo 0"
    },
    {
      name                  = "argocd-repo0-type"
      automatic_replication = true
      secret_data           = "git"
    },
    {
      name                  = "argocd-repo0-username"
      automatic_replication = true
      secret_data           = "x-token-auth"
    },
    {
      # NOTE: This is the first real secret
      name                  = "argocd-repo0-password"
      automatic_replication = true
      secret_data           = "BC...AA"
    },

    # Kubernetes secrets for cluster gke-cluster
    {
      name                  = "argocd-cluster0-name",
      automatic_replication = true,
      secret_data           = "in-cluster"
    },
    {
      name                  = "argocd-cluster0-server",
      automatic_replication = true,
      secret_data           = "https://kubernetes.default.svc"
    },
    {
      name                  = "argocd-cluster0-config",
      automatic_replication = true,
      secret_data           = <<_EOF_
      {
        "execProviderConfig": {
          "command": "argocd-k8s-auth",
          "args": ["gcp"],
          "apiVersion": "client.authentication.k8s.io/v1beta1"
        },
        "tlsClientConfig": {
          "insecure": false,
          "caData": "${base64encode(module.gke-cluster.cluster_ca_certificate)}"
        }
      }
      _EOF_
    }
}

The above example defines 8 secrets in GCP Secret Manager with most data really being static and public. There are just two real secret values for which it makes sense to store them in SM.

Now this is what I'm doing in the SecretProviderClass manifest:

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: gcp-argocd
  namespace: argocd
spec:
  provider: gcp
  parameters:
    secrets: |
      - resourceName: "projects/my-gcp-project/secrets/argocd-cluster0-name/versions/latest"
        fileName: "argocd-cluster0-name"
      - resourceName: "projects/my-gcp-project/secrets/argocd-cluster0-server/versions/latest"
        fileName: "argocd-cluster0-server"
      - resourceName: "projects/my-gcp-project/secrets/argocd-cluster0-config/versions/latest"
        fileName: "argocd-cluster0-config"
      - resourceName: "projects/my-gcp-project/secrets/argocd-repo0-name/versions/latest"
        fileName: "argocd-repo0-name"
      - resourceName: "projects/my-gcp-project/secrets/argocd-repo0-url/versions/latest"
        fileName: "argocd-repo0-url"
      - resourceName: "projects/my-gcp-project/secrets/argocd-repo0-type/versions/latest"
        fileName: "argocd-repo0-type"
      - resourceName: "projects/my-gcp-project/secrets/argocd-repo0-username/versions/latest"
        fileName: "argocd-repo0-username"
      - resourceName: "projects/my-gcp-project/secrets/argocd-repo0-password/versions/latest"
        fileName: "argocd-repo0-password"
  secretObjects:
    - secretName: gcp-sm-to-argocd-repo0
      type: Opague
      labels:
        argocd.argoproj.io/secret-type: repository # Used to define a repo
        # argocd.argoproj.io/secret-type: repo-creds # Used to define a secret template
      data:
        - objectName: "argocd-repo0-name"
          key: name
        - objectName: "argocd-repo0-url"
          key: url
        - objectName: "argocd-repo0-type"
          key: type
        - objectName: "argocd-repo0-username"
          key: username
        - objectName: "argocd-repo0-password"
          key: password
    - secretName: gcp-sm-to-argocd-cluster0
      type: Opague
      labels:
        argocd.argoproj.io/secret-type: cluster
      data:
        - objectName: "argocd-cluster0-name"
          key: name
        - objectName: "argocd-cluster0-server"
          key: server
        - objectName: "argocd-cluster0-config"
          key: config

Frankly, this is totally cumbersome. What are the alternatives?

Thanks,
Damir