mirror of
https://github.com/external-secrets/external-secrets.git
synced 2024-12-15 17:51:01 +00:00
7d0c1027a3
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
211 lines
No EOL
6.4 KiB
Markdown
211 lines
No EOL
6.4 KiB
Markdown
```yaml
|
|
---
|
|
title: External Secrets CRD promotion
|
|
version: v1beta1
|
|
authors: all of us
|
|
creation-date: 2022-feb-08
|
|
status: approved
|
|
---
|
|
```
|
|
|
|
# External Secrets Operator CRD
|
|
|
|
## Table of Contents
|
|
|
|
- [External Secrets Operator CRD](#external-secrets-operator-crd)
|
|
- [Table of Contents](#table-of-contents)
|
|
- [Summary](#summary)
|
|
- [Motivation](#motivation)
|
|
- [Goals](#goals)
|
|
- [Non-Goals](#non-goals)
|
|
- [Terminology](#terminology)
|
|
- [User Definitions](#user-definitions)
|
|
- [User Stories](#user-stories)
|
|
- [Proposal](#proposal)
|
|
- [External Secret](#external-secret)
|
|
- [Behavior](#behavior)
|
|
- [Secret Store](#secret-store)
|
|
|
|
## Summary
|
|
|
|
This is a proposal to design the Promoted ExternalSecrets CRD. This proposal was approved in 16-feb-2022 during our Community Meeting.
|
|
|
|
## Motivation
|
|
|
|
The project came up to the point to have grown in users and maturity, hence we are starting to drive efforts to bring it to GA. The promotion of the ExternalSecrets CRD to beta is one of this efforts.
|
|
This design documentation aims to capture some final changes for ExternalSecrets CRD.
|
|
|
|
### Goals
|
|
|
|
- Define a beta CRD
|
|
- Define strucutre for getting all provider secrets
|
|
- Define structure for new templating engine
|
|
### Non-Goals
|
|
|
|
This KEP proposes the CRD Spec and documents the use-cases, not the choice of technology or migration path towards implementing the CRD.
|
|
|
|
## Terminology
|
|
|
|
* External Secrets Operator `ESO`: A Application that runs a control loop which syncs secrets
|
|
* ESO `instance`: A single entity that runs a control loop
|
|
* Provider: Is a **source** for secrets. The Provider is external to ESO. It can be a hosted service like Alibaba Cloud SecretsManager, AWS SystemsManager, Azure KeyVault etc
|
|
* SecretStore `ST`: A Custom Resource to authenticate and configure the connection between the ESO instance and the Provider
|
|
* ExternalSecret `ES`: A Custom Resource that declares which secrets should be synced
|
|
* Frontend: A **sink** for the synced secrets, usually a `Secret` resource
|
|
* Secret: Credentials that act as a key to sensitive information
|
|
|
|
### User Definitions
|
|
* `operator :=` I manage one or multiple `ESO` instances
|
|
* `user :=` I only create `ES`, ESO is managed by someone else
|
|
|
|
### User Stories
|
|
From that we can derive the following requirements or user stories:
|
|
1. As a ESO operator I want to get all the secrets of a given path from a given provider, if the provider supports it
|
|
2. As a ESO operator I want to handle templating like it is a natural language, not needing to worry about how it is actually implemented.
|
|
|
|
## Proposal
|
|
|
|
### External Secret
|
|
|
|
```yaml
|
|
#only changed fields are commented out.
|
|
apiVersion: external-secrets.io/v1beta1
|
|
kind: ExternalSecret
|
|
metadata:
|
|
name: "hello-world"
|
|
labels:
|
|
acme.org/owned-by: "q-team"
|
|
annotations:
|
|
acme.org/sha: 1234
|
|
|
|
spec:
|
|
secretStoreRef:
|
|
name: secret-store-name
|
|
kind: SecretStore
|
|
refreshInterval: "1h"
|
|
target:
|
|
name: my-secret
|
|
creationPolicy: 'Merge'
|
|
deletionPolicy: 'None' #Possible values are None, Merge, Delete - TBC during implementation.
|
|
template:
|
|
engineVersion: v2 #Defaults to v2 in v1beta1
|
|
type: kubernetes.io/dockerconfigjson
|
|
metadata:
|
|
annotations: {}
|
|
labels: {}
|
|
data:
|
|
config.yml: |
|
|
endpoints:
|
|
- https://{{ .data.user }}:{{ .data.password }}@api.exmaple.com
|
|
|
|
templateFrom:
|
|
- configMap:
|
|
name: alertmanager
|
|
items:
|
|
- key: alertmanager.yaml
|
|
data:
|
|
- secretKey: secret-key-to-be-managed
|
|
remoteRef:
|
|
key: provider-key
|
|
version: provider-key-version
|
|
property: provider-key-property
|
|
dataFrom:
|
|
- extract: #extract all the keys from one given secret
|
|
key: provider-key
|
|
version: provider-key-version
|
|
property: provider-key-property
|
|
- find:
|
|
name: #find secrets that match a particular pattern
|
|
regexp: .*pattern.*
|
|
tags: #find secrets that match the following labels/tags
|
|
provider-label: provider-value
|
|
status:
|
|
refreshTime: "2019-08-12T12:33:02Z"
|
|
conditions:
|
|
- type: Ready
|
|
status: "True"
|
|
reason: "SecretSynced"
|
|
message: "Secret was synced"
|
|
lastTransitionTime: "2019-08-12T12:33:02Z"
|
|
```
|
|
|
|
#### Behavior
|
|
|
|
ExternalSecrets now will have a different structure for `dataFrom`, which will allow fetching several provider secrets with only one ExternalSecret definition. It should be possible to fetch secrets based on regular expressions or by a label/tag selector.
|
|
|
|
If the user desires to rename the secret keys (e.g. because the key name is not a valid secret key name `/foo/bar`) they should use `template` functions to produce a mapping.
|
|
### Secret Store
|
|
|
|
SecretStore and ClusterSecretStore do not have any changes from v1alpha1.
|
|
|
|
```yaml
|
|
apiVersion: external-secrets.io/v1beta1
|
|
kind: SecretStore
|
|
metadata:
|
|
name: example
|
|
namespace: example-ns
|
|
spec:
|
|
controller: dev
|
|
retrySettings:
|
|
maxRetries: 5
|
|
retryInterval: "10s"
|
|
provider:
|
|
aws:
|
|
service: SecretsManager
|
|
role: iam-role
|
|
region: eu-central-1
|
|
auth:
|
|
secretRef:
|
|
accessKeyID:
|
|
name: awssm-secret
|
|
key: access-key
|
|
secretAccessKey:
|
|
name: awssm-secret
|
|
key: secret-access-key
|
|
vault:
|
|
server: "https://vault.acme.org"
|
|
path: "secret"
|
|
version: "v2"
|
|
namespace: "a-team"
|
|
caBundle: "..."
|
|
caProvider:
|
|
type: "Secret"
|
|
name: "my-cert-secret"
|
|
key: "cert-key"
|
|
auth:
|
|
tokenSecretRef:
|
|
name: "my-secret"
|
|
namespace: "secret-admin"
|
|
key: "vault-token"
|
|
appRole:
|
|
path: "approle"
|
|
roleId: "db02de05-fa39-4855-059b-67221c5c2f63"
|
|
secretRef:
|
|
name: "my-secret"
|
|
namespace: "secret-admin"
|
|
key: "vault-token"
|
|
kubernetes:
|
|
mountPath: "kubernetes"
|
|
role: "demo"
|
|
serviceAccountRef:
|
|
name: "my-sa"
|
|
namespace: "secret-admin"
|
|
secretRef:
|
|
name: "my-secret"
|
|
namespace: "secret-admin"
|
|
key: "vault"
|
|
gcpsm:
|
|
auth:
|
|
secretRef:
|
|
secretAccessKeySecretRef:
|
|
name: gcpsm-secret
|
|
key: secret-access-credentials
|
|
projectID: myproject
|
|
status:
|
|
conditions:
|
|
- type: Ready
|
|
status: "False"
|
|
reason: "ConfigError"
|
|
message: "SecretStore validation failed"
|
|
lastTransitionTime: "2019-08-12T12:33:02Z"
|
|
``` |