Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Store the secrets in mounted file as YAML instead of JSON format #199

Open
Constantin07 opened this issue Mar 6, 2023 · 3 comments
Open

Store the secrets in mounted file as YAML instead of JSON format #199

Constantin07 opened this issue Mar 6, 2023 · 3 comments
Labels
enhancement New feature or request

Comments

@Constantin07
Copy link

Constantin07 commented Mar 6, 2023
edited
Loading

At the moment the secrets are stored in JSON format. It would be nice to add support for YAML format, may be something like objectFormat

Reason: We want to support auto-reload in Java app when secret is updated in AWS Secrets Manager. It works with yaml secrets file but doesn't work with json. Another reason is that we would like to avoid writing our own implementation in Java but rather use what is already supported and working.
@Constantin07 Constantin07 added the enhancement New feature or request label Mar 6, 2023
@jbct
Copy link

jbct commented Oct 2, 2023

Hi constantin07 - could you provide a bit more information on the use case and the library that you're using to auto-reload yaml files?

@cbugneac-nex
Copy link

Hi @jbct
We managed to use the JSON format so this feature request can be closed.

@tmartin
Copy link

tmartin commented Nov 5, 2023
edited
Loading

EDIT : Sorry my comment is a duplicate of this issue #46

Hi there, I would like to add another usecase for using YAML format that could be very useful IMO.

When using a Secret with key-value pairs in AWS Secrets Manager, if you sync it to a K8S Secret, you get a JSON string at the moment. Now if I want to create en env var for each key-value pair in my Secret, I have to do it manually using jmesPath in my SecretProviderClass and declare each one in spec.secretObjects[].data.

Here's an example of what I have to do today:

---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: test-secret-class
  namespace: test-secret
spec:
  provider: aws
  secretObjects:
    - secretName: test-secret
      type: Opaque
      data:
        - objectName: "secret-username"
          key: USER
        - objectName: "secret-password"
          key: PASS
  parameters:
    objects: |
      - objectName: "MySecret"
        objectType: "secretsmanager"
        jmesPath: 
          - path: username
            objectAlias: "secret-username"
          - path: password
            objectAlias: "secret-password"
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-secret-deployment
  namespace: test-secret
  labels:
    app: test-secret-app
spec:
  replicas: 2
  selector:
    matchLabels:
      app: test-secret-app
  template:
    metadata:
      labels:
        app: test-secret-app
    spec:
      serviceAccountName: secrets-store-csi-sa
      volumes:
      - name: secrets-store-inline
        csi:
          driver: secrets-store.csi.k8s.io
          readOnly: true
          volumeAttributes:
            secretProviderClass: "test-secret-class"
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80
        envFrom:
        - secretRef:
            name: "test-secret"
        volumeMounts:
        - name: secrets-store-inline
          mountPath: "/mnt/secrets-store"
          readOnly: true

If the secret could be directly created in YAML format, I wouldn't need to use the jmesPath nor the data array in my SecretProviderClass.

What do you guys think?
Cheers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tmartin @jbct @Constantin07 @cbugneac-nex