Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow components to define secret ref templates #320

Open
simu opened this issue May 21, 2021 · 0 comments
Open

Allow components to define secret ref templates #320

simu opened this issue May 21, 2021 · 0 comments
Labels
enhancement New feature or request

Comments

@simu
Copy link
Member

simu commented May 21, 2021
edited
Loading

Context

Sometimes, it would be nice to generate secret refs from a template based on some information present in the config hierarchy.

Currently the naive approach of simply providing the rendered secret references directly in Jsonnet doesn't work:

local secrets = [
  kube.Secret(it.name + '_credentials') {
    metadata+: {
      namespace: it.namespace,
    },
    stringData+: {
      password: '?{vaultkv:%s/%s/component/%s_password}' % [ inv.parameters.cluster.tenant, inv.parameters.cluster.name, it.name ],
    },
  }
  for it in params.items
];

with inventory

parameters:
  component:
    items:
      - name: item1
        namespace: ns1

results in

Could not find ref backend for tag: ?{vaultkv:<tenant-id>/<cluster-id>/component/item1_password}

The problem is that Commodore can't find the secret ref embedded in the component's Jsonnet code, and therefore doesn't generate the ref file in catalog/refs/.

Implementation idea

Maybe we could introduce a component meta-parameter which component authors can use to specify secret ref templates and associated input data which Commodore can use to generate appropriate secret refs.

I'm envisioning something like

parameters:
  component:
    =_metadata:
      secret_ref_templates:
        - template: '${cluster:tenant}/${cluster:name}/component/%s_password'
          args:
            - name
          data: ${component:items}

    items:
      - name: item1
        namespace: ns1

And commodore would do something like

def generate_computed_refs(...):
   component_params = inventory["component"]
   for tpl in component_params["_metadata"]["secret_ref_templates"]:
       for it in tpl["data"]:
           fmt_args = []
           for a in tpl["args"]:
              fmt_args = fmt_args.append(it[a])
           render_ref(ref=tpl["template"].format(fmt_args))

Alternatives

  • Don't support this in Commodore and require users to provide expanded secret refs in lists if necessary (this is currently the only feasible workaround)
  • Introduce component "pre-processing" step, in which components can specify actions that should be executed before Kapitan is executed and implement an action which allows components to generate additional secret references.
@simu simu added the enhancement New feature or request label May 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@simu