mirrors/external-secrets
1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00
Code Activity
external-secrets/design/009-pushsecret-generator.md
Moritz Johner 74897535d2
feat: add PushSecret generator design (#2665) 
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2023-11-22 21:45:55 +00:00

2.6 KiB
Raw Blame History 

---
title: PushSecret generator integration
version: v1alpha1
authors: Moritz Johner
creation-date: 2023-08-25
status: draft
---

PushSecret Generator integration

Table of Contents

// autogen please

Summary

This design document describes how PushSecret can leverage generators to generate short-lived credentials without the need of an intermediary Secret resource.

Motivation

Currently, the process of using secure passwords and short-lived credentials within the External Secrets Operator involves multiple steps. Users need to create an ExternalSecret resource to generate a value which is stored in a Secret resource. This Secret resource is then pushed to a provider using a PushSecret resource. However, this intermediary step adds unnecessary complexity and inconvenience to the workflow.

Proposal

To simplify the workflow and enhance user experience, the proposal is to integrate generators directly into the PushSecret resource. This will allow users to specify a generator using a generatorRef within the PushSecret manifest. When the PushSecret reconciliation process occurs, a value will be generated using the specified generator. This generated value will be securely pushed to the provider and stored there.

apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
spec:
  selector:
    generatorRef:
      apiVersion: generators.external-secrets.io/v1alpha1
      kind: Password
      name: "my-password"

Consequences

  • Simplified Workflow: This change will simplify the process of generating and pushing secrets by eliminating the need for an intermediary Secret resource.

  • Enhanced Security: As secrets are generated and pushed directly, there will be a reduction in potential vulnerabilities that may arise from the management of intermediary resources.

  • Increased Flexibility: Integrating generators into PushSecrets allows for more customization and flexibility in generating secrets according to specific requirements.

  • Potential Learning Curve: Users who are accustomed to the previous workflow may need to adapt to the new approach, which could require some learning and adjustment.

  • API and Documentation Update: The API changes need to be well-documented to ensure users understand how to utilize the new feature effectively.

Acceptance Criteria

  • tests: controller tests for this new field should be sufficient
  • the API changes need to be documented
    • API/CRD spec inline documentation
    • PushSecret API documentation
    • Guides section for PushSecret + generator functionality