Support arbitrary data for use in templates

[kriswuollett]

It would be great to enhance the templating engine by supporting more than just values from Secrets. If this is already possible, the issue may be just I didn't see how in the documentation or the API reference.

Possible Solutions

One possibility would be to add stringData: string and data: []byte fields like in Secret so that arbitrary values can be passed into templates.

But a more flexible solution would be to just follow the example how Pod environment variables can be set (changing secretKey to just key may make more sense since it is just data going into a template):

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: mydb-dbconn-myuser
spec:
  data:
    - secretKey: host
      valueFrom:
        externalSecretRef:
          name: mydbcluster-secret-store
          kind: ClusterSecretStore
          secretName: mydbcluster-pguser-myuser
          key: host
    - secretKey: database
      value: mydb
    - secretKey: username
      valueFrom:
        externalSecretRef:
          name: mydbcluster-secret-store
          kind: ClusterSecretStore
          secretName: mydbcluster-pguser-myuser
          key: username
    - secretKey: tlsCert
      valueFrom:
        configMap:
          name: mydbcluster-tls
          key: tls.crt

Use Case

Create variations of secret or add constant values that are not present in the sources so that application code can read in one secret per database connection. The example that I was trying to do was use a "database" value in addition to other fields like "host", "port", etc. that came from a source secret that was generated by the Kubernetes Operator PGO.

Examples

Current template. database-connection-tpl:

{{
  merge
    (dict "Host" .host)
    (dict "Port" .port)
    (and .database(dict "Database" .database))
    (dict "Username" .username)
    (and .password (dict "Password" .password))
    | toPrettyJson
}}

Current Resources (I do not want to read the arbitrarily chosen database field in the source Secret):

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: mydb-dbconn-myuser
spec:
  secretStoreRef:
    name: mydbcluster-secret-store
    kind: ClusterSecretStore
  target:
    name: mydbcluster-mydb-dbconn-myuser
    template:
      type: Opaque
      engineVersion: v2
      templateFrom:
        - configMap:
            name: database-connection-tpl
            items:
              - key: config.json
  refreshInterval: 1m
  data:
    - secretKey: host
      remoteRef:
        key: mydbcluster-pguser-myuser
        property: host
    - secretKey: port
      remoteRef:
        key: mydbcluster-pguser-myuser
        property: port
    - secretKey: username
      remoteRef:
        key: mydbcluster-pguser-myuser
        property: user
    - secretKey: password
      remoteRef:
        key: mydbcluster-pguser-myuser
        property: password
    - secretKey: tlsCrt
      remoteRef:
        key: mydbcluster-cluster-cert
        property: tls.crt
    - secretKey: caCrt
      remoteRef:
        key: mydbcluster-cluster-cert
        property: ca.crt

Notes

• without this functionality a ConfigMap template per database name needs to be created with the database name written in directly, but would prefer not copy and pasting
• proposed solutions does not address the possibility of shared template parameter naming conflicts when combining templateFrom.configMaps, separate issue to make template parameter key rewrites, or just follow the pod container env example and not have a shared set of source key/value pairs for all templates?
• the proposed solution also grants the possibility of combining secrets from multiple stores into a single secret which doesn't seem currently possible, just a pattern from a single store

[moolen]

We recently added support for having multiple SecretStores per ExternalSecret (it's on main), unreleased.
This allows you to set a sourceRef per key:

data:
  - secretKey: foo

    # which secret should be fetched: key, property, metadata, version, conversion/decoding behaviour
    remoteRef:
      key: "my-db-credentials"
      property: "password"

    # where does that value come from
    sourceRef:
      storeRef: {} # points to a SecretStore resource
      generatorRef: {} # points to a generator resource
      # consider adding configMap|secret|static value...

We could either extend on that and add something that allows setting static key/value pairs or redesign it entirely. Either way, we should add a proposal if it includes massive changes like moving towards the valueFrom approach outlined above.

[github-actions]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[github-actions]

This issue was closed because it has been stalled for 30 days with no activity.