Skip to content

Allow components to define secret ref templates #320

New issue
New issue
Open
Open
Allow components to define secret ref templates#320
Labels
enhancementNew feature or request
@simu

Description

@simu
simu
opened on May 21, 2021

Context

Sometimes, it would be nice to generate secret refs from a template based on some information present in the config hierarchy.

Currently the naive approach of simply providing the rendered secret references directly in Jsonnet doesn't work:

local secrets = [
  kube.Secret(it.name + '_credentials') {
    metadata+: {
      namespace: it.namespace,
    },
    stringData+: {
      password: '?{vaultkv:%s/%s/component/%s_password}' % [ inv.parameters.cluster.tenant, inv.parameters.cluster.name, it.name ],
    },
  }
  for it in params.items
];

with inventory

parameters:
  component:
    items:
      - name: item1
        namespace: ns1

results in

Could not find ref backend for tag: ?{vaultkv:<tenant-id>/<cluster-id>/component/item1_password}

The problem is that Commodore can't find the secret ref embedded in the component's Jsonnet code, and therefore doesn't generate the ref file in catalog/refs/.

Implementation idea

Maybe we could introduce a component meta-parameter which component authors can use to specify secret ref templates and associated input data which Commodore can use to generate appropriate secret refs.

I'm envisioning something like

parameters:
  component:
    =_metadata:
      secret_ref_templates:
        - template: '${cluster:tenant}/${cluster:name}/component/%s_password'
          args:
            - name
          data: ${component:items}

    items:
      - name: item1
        namespace: ns1

And commodore would do something like

def generate_computed_refs(...):
   component_params = inventory["component"]
   for tpl in component_params["_metadata"]["secret_ref_templates"]:
       for it in tpl["data"]:
           fmt_args = []
           for a in tpl["args"]:
              fmt_args = fmt_args.append(it[a])
           render_ref(ref=tpl["template"].format(fmt_args))

Alternatives

  • Don't support this in Commodore and require users to provide expanded secret refs in lists if necessary (this is currently the only feasible workaround)
  • Introduce component "pre-processing" step, in which components can specify actions that should be executed before Kapitan is executed and implement an action which allows components to generate additional secret references.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions