PushSecret [Vault provider] - Multiple keys into one secret? (property, dataFrom)

[Ampler92]

Hello,

I am a bit confused with the way of specifying RemoteRef for PushSecret.

In documentation there is RemoteRefs [array] which expect list of RemoteKey

But in CRD the schema contains just RemoteRef [object]...

Also there is no way how to enter the property same as in ExternalSecret. How I can then add multiple keys into one HashiCorp Vault secret?

Tried the following code but it creates two separate secrets instead of two keys in one ("credentials") secret.

  selector:
    secret:
      name: credentials # Source Kubernetes secret to be pushed
  data:
  - match:
        secretKey: password1 # Source Kubernetes secret key to be pushed
        remoteRef:
          remoteKey: kv/data/credentials/password1 # Remote reference (where the secret is going to be pushed)
  - match:
        secretKey: password2 # Source Kubernetes secret key to be pushed
        remoteRef:
          remoteKey: kv/data/credentials/password2 # Remote reference (where the secret is going to be pushed) 

Also without the property, the whole remoteKey path is then added as the key:

Its probably doable with adding base path into the SecretStore, but then it limits the SecretStore for only one destination...

And last but not least, is it planned to add dataFrom so I can extract all the keys?

Many Thanks!

[gusfcarvalho]

yes, as of today I think the hashi vault implementation for PushSecret is not the best... what we should be doing is taking for granted that the secret Key itself would be a JSON, and then load it as a single secret in HAshivault.

[gusfcarvalho]

and, sure, it makes sense to add a dataFrom there :)

[Ampler92]

thanks for your reply :) I will write a shell script then that can migrate k8s secrets to vault as an temp solution, and will impatiently wait for the PRs :)