Support different formats/templates for secret targets
knelasevero opened this issue · comments
Describe the solution you'd like
Having the ability to define a template to be used to produce a specific type of secret. Like:
Builtin Type | Usage |
---|---|
Opaque | arbitrary user-defined data |
kubernetes.io/service-account-token | service account token |
kubernetes.io/dockercfg | serialized ~/.dockercfg file |
kubernetes.io/dockerconfigjson | serialized ~/.docker/config.json file |
kubernetes.io/basic-auth | credentials for basic authentication |
kubernetes.io/ssh-auth | credentials for SSH authentication |
kubernetes.io/tls | data for a TLS client or server |
bootstrap.kubernetes.io/token | bootstrap token data |
What is the added value?
More flexibility with the generated secrets. Users can just use what aligns with their use case.
Give us examples of the outcome
This comes from the common CRD proposal as well so it would be defined like this in the ExternalSecret:
target:
name: my-secret
template:
type: kubernetes.io/TLS
data:
tls.crt:
key: /corp.org/dev/certs/ingress
property: pubcert
version: latest
tls.key:
key: /corp.org/dev/certs/ingress
property: privkey
version: latest
This would generate:
apiVersion: v1
kind: Secret
metadata:
name: my-secret
type: kubernetes.io/tls
data:
# the data is abbreviated in this example
tls.crt: |
MIIC2DCCAcCgAwIBAgIBATANBgkqh ...
tls.key: |
MIIEpgIBAAKCAQEA7yn3bRHQ5FHMQ ...
Observations (Constraints, Context, etc):