mirrors/external-secrets
1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00
Code Activity
external-secrets/design/009-pushsecret-generator.md
Moritz Johner 74897535d2
feat: add PushSecret generator design (#2665) 
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-11-22 21:45:55 +00:00

62 lines
2.6 KiB
Markdown
Raw Blame History

```yaml
---
title: PushSecret generator integration
version: v1alpha1
authors: Moritz Johner
creation-date: 2023-08-25
status: draft
---
```
# PushSecret Generator integration
## Table of Contents
<!-- toc -->
// autogen please
<!-- /toc -->
## Summary
This design document describes how `PushSecret` can leverage generators to generate short-lived credentials without the need of an intermediary `Secret` resource.
## Motivation
Currently, the process of using secure passwords and short-lived credentials within the External Secrets Operator involves multiple steps.
Users need to create an `ExternalSecret` resource to generate a value which is stored in a `Secret` resource. This Secret resource is then pushed to a provider using a `PushSecret` resource. However, this intermediary step adds unnecessary complexity and inconvenience to the workflow.
## Proposal
To simplify the workflow and enhance user experience, the proposal is to integrate generators directly into the `PushSecret` resource. This will allow users to specify a generator using a `generatorRef` within the PushSecret manifest. When the PushSecret reconciliation process occurs, a value will be generated using the specified generator. This generated value will be securely pushed to the provider and stored there.
```yaml
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
spec:
selector:
generatorRef:
apiVersion: generators.external-secrets.io/v1alpha1
kind: Password
name: "my-password"
```
## Consequences
* **Simplified Workflow**: This change will simplify the process of generating and pushing secrets by eliminating the need for an intermediary Secret resource.
* **Enhanced Security**: As secrets are generated and pushed directly, there will be a reduction in potential vulnerabilities that may arise from the management of intermediary resources.
* **Increased Flexibility**: Integrating generators into PushSecrets allows for more customization and flexibility in generating secrets according to specific requirements.
* **Potential Learning Curve**: Users who are accustomed to the previous workflow may need to adapt to the new approach, which could require some learning and adjustment.
* **API and Documentation Update**: The API changes need to be well-documented to ensure users understand how to utilize the new feature effectively.
## Acceptance Criteria
* tests: controller tests for this new field should be sufficient
* the API changes need to be documented
* API/CRD spec inline documentation
* PushSecret API documentation
* Guides section for `PushSecret` + `generator` functionality
View git blame Copy permalink