From 74897535d248433afb38751acbf7a3daff344286 Mon Sep 17 00:00:00 2001 From: Moritz Johner Date: Wed, 22 Nov 2023 22:45:55 +0100 Subject: [PATCH] feat: add PushSecret generator design (#2665) Signed-off-by: Moritz Johner --- design/009-pushsecret-generator.md | 62 ++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 design/009-pushsecret-generator.md diff --git a/design/009-pushsecret-generator.md b/design/009-pushsecret-generator.md new file mode 100644 index 000000000..196412c07 --- /dev/null +++ b/design/009-pushsecret-generator.md @@ -0,0 +1,62 @@ +```yaml +--- +title: PushSecret generator integration +version: v1alpha1 +authors: Moritz Johner +creation-date: 2023-08-25 +status: draft +--- +``` + +# PushSecret Generator integration + +## Table of Contents + + +// autogen please + + +## Summary + +This design document describes how `PushSecret` can leverage generators to generate short-lived credentials without the need of an intermediary `Secret` resource. + +## Motivation + +Currently, the process of using secure passwords and short-lived credentials within the External Secrets Operator involves multiple steps. +Users need to create an `ExternalSecret` resource to generate a value which is stored in a `Secret` resource. This Secret resource is then pushed to a provider using a `PushSecret` resource. However, this intermediary step adds unnecessary complexity and inconvenience to the workflow. + +## Proposal + +To simplify the workflow and enhance user experience, the proposal is to integrate generators directly into the `PushSecret` resource. This will allow users to specify a generator using a `generatorRef` within the PushSecret manifest. When the PushSecret reconciliation process occurs, a value will be generated using the specified generator. This generated value will be securely pushed to the provider and stored there. + +```yaml +apiVersion: external-secrets.io/v1alpha1 +kind: PushSecret +spec: + selector: + generatorRef: + apiVersion: generators.external-secrets.io/v1alpha1 + kind: Password + name: "my-password" +``` + +## Consequences + +* **Simplified Workflow**: This change will simplify the process of generating and pushing secrets by eliminating the need for an intermediary Secret resource. + +* **Enhanced Security**: As secrets are generated and pushed directly, there will be a reduction in potential vulnerabilities that may arise from the management of intermediary resources. + +* **Increased Flexibility**: Integrating generators into PushSecrets allows for more customization and flexibility in generating secrets according to specific requirements. + +* **Potential Learning Curve**: Users who are accustomed to the previous workflow may need to adapt to the new approach, which could require some learning and adjustment. + +* **API and Documentation Update**: The API changes need to be well-documented to ensure users understand how to utilize the new feature effectively. + + +## Acceptance Criteria + +* tests: controller tests for this new field should be sufficient +* the API changes need to be documented + * API/CRD spec inline documentation + * PushSecret API documentation + * Guides section for `PushSecret` + `generator` functionality