Description
Describe the problem/challenge you have
#66 Introduced the SecretTemplate API. This allows you to define arbitrary input resources that are used to generate a new Kubernetes Secret based on templating.
For a first pass, we just supported a simple jsonpath based template. However for more dynamic cases we should support a ytt templating. This would allow the entire generated secret to be templated.
Describe the solution you'd like
We should introduce an optional ytt block as an alternative to template that loads input resources as data.values. So this might look like:
---
apiVersion: secretgen.k14s.io/v1alpha1
kind: SecretTemplate
metadata:
name: generated-secret
spec:
serviceAccountName: my-resource-reader
inputResources:
- name: rds
ref:
apiVersion: rds.services.k8s.aws/v1alpha1
kind: DBInstance
name: my-rds-instance
- name: creds
ref:
apiVersion: v1
kind: Secret
name: {.rds.masterPassword.name}
namespace: rds-services
ytt: |
#@ load("@ytt:data", "data")
# Store the input resource as data values with the key being
# the specified reference name.
#@ rds = data.values.rds
#@ creds = data.values.creds
#@ endpoint = rds.status.endpoint
metadata:
name: db-instance-secret
stringData:
type: postgresql
database: #@ rds.spec.dbName
port: #@ endpoint.port
host: #@ endpoint.address
# Example of defaulting.
username: #@ rds.spec.masterUsername if rds.spec.masterUsername != "" else "admin"
data:
# Example of dynamic key loading.
password: #@ creds.data[rds.masterUserPassword.get("key")]Anything else you would like to add:
n/a
Vote on this request
This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.
π "I would like to see this addressed as soon as possible"
π "There are other more important things to focus on right now"
We are also happy to receive and review Pull Requests if you would like to work on this issue.
Metadata
Assignees
Labels
Type
Projects
Status
Unprioritized