-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Go templating #43
base: main
Are you sure you want to change the base?
Conversation
@lasred please take a look when you have time |
@joebaro @lasred @willtong1234 any chance to get a review? |
Hi, I had the same problem and discovered some things not working on @martinhaus code, so I made another PR. Work is still needed for testing and code improvement, as I don't know Golang. Please, check PR |
Is there any ETA when this feature can be available? |
There are three existing options that can already be used to achieve what you want:
|
@joebaro we are looking to see if this can support what Vault can do similar to here - https://developer.hashicorp.com/vault/docs/platform/k8s/injector#secret-templates
|
The CSI driver uses a daemon set architecture. That is to say the driver and plugins run as trusted containers on every node. This means the introduction of an executable template raises additional security concerns around the ability to break out of or misconfiguration of the templates. It is not clear what format your secrets are in or if you are moving them over and trying to reformat them. Option 1. may still apply to your use case, you could store them directly in the desired format. Secrets Manager and the CSI driver pass through the secrets unchanged. The vault solution you pointed out is not the CSI vault plugin but an alternate sidecar implementation. There are also other sidecar solutions like External Secrets which work with Secrets Manager and provide templates that may or may not be a better fit for your use case. Obviously there is also the option of cloning this repo and running your own private build to add on the features you are looking for. Instructions for that are provided in the Private Builds section of the readme. |
Description of changes:
We're trying to use the AWS CSI secrets provider as a universal way of integrating AWS Secrets Manager to all of our apps that we run in EKS.
Ultimately we would like to be able to specify a format in which the file containing secrets from SM should be created. For example, we would like to be able to format the secrets in the following fashion, in order to be able to source them in bash later:
export KEY1=VALUE1
export KEY2=VALUE2.
A similar functionality already exists in Vault Agent used with Hashicorp's Vault
https://www.vaultproject.io/docs/platform/k8s/injector#secret-templates
This PRs adds an option to specify a Go Template in a objectTemplate variable in the object's parameters. This template is then used to transform the JSON format that is produced by default into a desired format.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.