Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for secrets provided via Secrets Store CSI Driver #113

Open
guilledipa opened this issue Nov 3, 2022 · 3 comments
Open

Support for secrets provided via Secrets Store CSI Driver #113

guilledipa opened this issue Nov 3, 2022 · 3 comments
Labels
enhancement New feature or request

Comments

@guilledipa
Copy link

What problem are you facing?

Currently, MySQLConnectionSecret expects a Secret object as per:

kubectl create secret generic db-conn \
  --from-literal=username=admin \
  --from-literal=password='t0ps3cr3t' \
  --from-literal=endpoint=my.sql-server.com \
  --from-literal=port=3306

This implies that users need permissions to run kubectl create secret in the cluster.

In CI/CD pipelines where users have no permissions to run kubectl commands (and all code is persisted in repositories), the ability to inject secrets in the cluster via https://secrets-store-csi-driver.sigs.k8s.io/introduction.html is ideal. This is particularly useful in the context of Cloud environments where secrets are created in Secret Manager tools like GCP's Secret Manager.

How could Crossplane help solve your problem?

provider-sql could support secrets mounted via secrets-store-csi-driver.
@guilledipa guilledipa added the enhancement New feature or request label Nov 3, 2022
@chlunde
Copy link
Contributor

chlunde commented Nov 9, 2022

Two notes;

@guilledipa but I think most users here will create the database with a randomly generated password in a crossplane composition, so no humans need Secret access at all. Are you using provider-sql without crossplane?

@chlunde chlunde mentioned this issue Nov 9, 2022
Open
@pierluigilenoci
Copy link

@guilledipa would an ESO integration be equally functional for you?

@guilledipa
Copy link
Author

I'm sorry for the slow answer!

@guilledipa would an ESO integration be equally functional for you?
Yes, ESO would keep the Secret object in sync with a provider and therefore fulfil the requirements.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chlunde @guilledipa @pierluigilenoci