forked from external-secrets/external-secrets
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add PushSecret generator design (external-secrets#2665)
Signed-off-by: Moritz Johner <[email protected]>
- Loading branch information
Showing
1 changed file
with
62 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| ```yaml | ||
| --- | ||
| title: PushSecret generator integration | ||
| version: v1alpha1 | ||
| authors: Moritz Johner | ||
| creation-date: 2023-08-25 | ||
| status: draft | ||
| --- | ||
| ``` | ||
|
|
||
| # PushSecret Generator integration | ||
|
|
||
| ## Table of Contents | ||
|
|
||
| <!-- toc --> | ||
| // autogen please | ||
| <!-- /toc --> | ||
|
|
||
| ## Summary | ||
|
|
||
| This design document describes how `PushSecret` can leverage generators to generate short-lived credentials without the need of an intermediary `Secret` resource. | ||
|
|
||
| ## Motivation | ||
|
|
||
| Currently, the process of using secure passwords and short-lived credentials within the External Secrets Operator involves multiple steps. | ||
| Users need to create an `ExternalSecret` resource to generate a value which is stored in a `Secret` resource. This Secret resource is then pushed to a provider using a `PushSecret` resource. However, this intermediary step adds unnecessary complexity and inconvenience to the workflow. | ||
|
|
||
| ## Proposal | ||
|
|
||
| To simplify the workflow and enhance user experience, the proposal is to integrate generators directly into the `PushSecret` resource. This will allow users to specify a generator using a `generatorRef` within the PushSecret manifest. When the PushSecret reconciliation process occurs, a value will be generated using the specified generator. This generated value will be securely pushed to the provider and stored there. | ||
|
|
||
| ```yaml | ||
| apiVersion: external-secrets.io/v1alpha1 | ||
| kind: PushSecret | ||
| spec: | ||
| selector: | ||
| generatorRef: | ||
| apiVersion: generators.external-secrets.io/v1alpha1 | ||
| kind: Password | ||
| name: "my-password" | ||
| ``` | ||
| ## Consequences | ||
| * **Simplified Workflow**: This change will simplify the process of generating and pushing secrets by eliminating the need for an intermediary Secret resource. | ||
| * **Enhanced Security**: As secrets are generated and pushed directly, there will be a reduction in potential vulnerabilities that may arise from the management of intermediary resources. | ||
| * **Increased Flexibility**: Integrating generators into PushSecrets allows for more customization and flexibility in generating secrets according to specific requirements. | ||
| * **Potential Learning Curve**: Users who are accustomed to the previous workflow may need to adapt to the new approach, which could require some learning and adjustment. | ||
| * **API and Documentation Update**: The API changes need to be well-documented to ensure users understand how to utilize the new feature effectively. | ||
| ## Acceptance Criteria | ||
| * tests: controller tests for this new field should be sufficient | ||
| * the API changes need to be documented | ||
| * API/CRD spec inline documentation | ||
| * PushSecret API documentation | ||
| * Guides section for `PushSecret` + `generator` functionality |