1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00
external-secrets/design/001-design-crd-v1beta1.md
Gustavo Carvalho 7d0c1027a3 Adding Deletion Policy to the spec, and approving it
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
2022-02-16 14:32:40 -03:00

211 lines
No EOL
6.4 KiB
Markdown

```yaml
---
title: External Secrets CRD promotion
version: v1beta1
authors: all of us
creation-date: 2022-feb-08
status: approved
---
```
# External Secrets Operator CRD
## Table of Contents
- [External Secrets Operator CRD](#external-secrets-operator-crd)
- [Table of Contents](#table-of-contents)
- [Summary](#summary)
- [Motivation](#motivation)
- [Goals](#goals)
- [Non-Goals](#non-goals)
- [Terminology](#terminology)
- [User Definitions](#user-definitions)
- [User Stories](#user-stories)
- [Proposal](#proposal)
- [External Secret](#external-secret)
- [Behavior](#behavior)
- [Secret Store](#secret-store)
## Summary
This is a proposal to design the Promoted ExternalSecrets CRD. This proposal was approved in 16-feb-2022 during our Community Meeting.
## Motivation
The project came up to the point to have grown in users and maturity, hence we are starting to drive efforts to bring it to GA. The promotion of the ExternalSecrets CRD to beta is one of this efforts.
This design documentation aims to capture some final changes for ExternalSecrets CRD.
### Goals
- Define a beta CRD
- Define strucutre for getting all provider secrets
- Define structure for new templating engine
### Non-Goals
This KEP proposes the CRD Spec and documents the use-cases, not the choice of technology or migration path towards implementing the CRD.
## Terminology
* External Secrets Operator `ESO`: A Application that runs a control loop which syncs secrets
* ESO `instance`: A single entity that runs a control loop
* Provider: Is a **source** for secrets. The Provider is external to ESO. It can be a hosted service like Alibaba Cloud SecretsManager, AWS SystemsManager, Azure KeyVault etc
* SecretStore `ST`: A Custom Resource to authenticate and configure the connection between the ESO instance and the Provider
* ExternalSecret `ES`: A Custom Resource that declares which secrets should be synced
* Frontend: A **sink** for the synced secrets, usually a `Secret` resource
* Secret: Credentials that act as a key to sensitive information
### User Definitions
* `operator :=` I manage one or multiple `ESO` instances
* `user :=` I only create `ES`, ESO is managed by someone else
### User Stories
From that we can derive the following requirements or user stories:
1. As a ESO operator I want to get all the secrets of a given path from a given provider, if the provider supports it
2. As a ESO operator I want to handle templating like it is a natural language, not needing to worry about how it is actually implemented.
## Proposal
### External Secret
```yaml
#only changed fields are commented out.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: "hello-world"
labels:
acme.org/owned-by: "q-team"
annotations:
acme.org/sha: 1234
spec:
secretStoreRef:
name: secret-store-name
kind: SecretStore
refreshInterval: "1h"
target:
name: my-secret
creationPolicy: 'Merge'
deletionPolicy: 'None' #Possible values are None, Merge, Delete - TBC during implementation.
template:
engineVersion: v2 #Defaults to v2 in v1beta1
type: kubernetes.io/dockerconfigjson
metadata:
annotations: {}
labels: {}
data:
config.yml: |
endpoints:
- https://{{ .data.user }}:{{ .data.password }}@api.exmaple.com
templateFrom:
- configMap:
name: alertmanager
items:
- key: alertmanager.yaml
data:
- secretKey: secret-key-to-be-managed
remoteRef:
key: provider-key
version: provider-key-version
property: provider-key-property
dataFrom:
- extract: #extract all the keys from one given secret
key: provider-key
version: provider-key-version
property: provider-key-property
- find:
name: #find secrets that match a particular pattern
regexp: .*pattern.*
tags: #find secrets that match the following labels/tags
provider-label: provider-value
status:
refreshTime: "2019-08-12T12:33:02Z"
conditions:
- type: Ready
status: "True"
reason: "SecretSynced"
message: "Secret was synced"
lastTransitionTime: "2019-08-12T12:33:02Z"
```
#### Behavior
ExternalSecrets now will have a different structure for `dataFrom`, which will allow fetching several provider secrets with only one ExternalSecret definition. It should be possible to fetch secrets based on regular expressions or by a label/tag selector.
If the user desires to rename the secret keys (e.g. because the key name is not a valid secret key name `/foo/bar`) they should use `template` functions to produce a mapping.
### Secret Store
SecretStore and ClusterSecretStore do not have any changes from v1alpha1.
```yaml
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: example
namespace: example-ns
spec:
controller: dev
retrySettings:
maxRetries: 5
retryInterval: "10s"
provider:
aws:
service: SecretsManager
role: iam-role
region: eu-central-1
auth:
secretRef:
accessKeyID:
name: awssm-secret
key: access-key
secretAccessKey:
name: awssm-secret
key: secret-access-key
vault:
server: "https://vault.acme.org"
path: "secret"
version: "v2"
namespace: "a-team"
caBundle: "..."
caProvider:
type: "Secret"
name: "my-cert-secret"
key: "cert-key"
auth:
tokenSecretRef:
name: "my-secret"
namespace: "secret-admin"
key: "vault-token"
appRole:
path: "approle"
roleId: "db02de05-fa39-4855-059b-67221c5c2f63"
secretRef:
name: "my-secret"
namespace: "secret-admin"
key: "vault-token"
kubernetes:
mountPath: "kubernetes"
role: "demo"
serviceAccountRef:
name: "my-sa"
namespace: "secret-admin"
secretRef:
name: "my-secret"
namespace: "secret-admin"
key: "vault"
gcpsm:
auth:
secretRef:
secretAccessKeySecretRef:
name: gcpsm-secret
key: secret-access-credentials
projectID: myproject
status:
conditions:
- type: Ready
status: "False"
reason: "ConfigError"
message: "SecretStore validation failed"
lastTransitionTime: "2019-08-12T12:33:02Z"
```