PushSecrets should implement the same templating options as ExternalSecrets #2166
Description
Describe the solution you'd like
We want to be able to push non-JSON secrets into HashiCorp vault. That is, given a Secret like:
apiVersion: v1
kind: Secret
metadata:
name: source-secret
namespace: default
stringData:
source-key: "this is a secret"
We want to push that into Vault, but that requires JSON-formatted data. Given the templating support that is already implented in this project, I was expecting to do something like this:
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
name: pushsecret-example
namespace: default
spec:
refreshInterval: 10s
secretStoreRefs:
- name: vault-secretstore
kind: SecretStore
selector:
secret:
name: source-secret # Source Kubernetes secret to be pushed
data:
- secretKey: key1
- secretKey: key2
remoteRef: vault/secret
template:
engineVersion: v2
data:
token: {{ key1.token }}
color: {{ key2.color | replace "red" "blue" }}
That is, I want to use templating to support to take data from one or more Kubernetes Secrets and create a valid JSON document for storing into a single Vault secret.
What is the added value?
Currently, it's not possible to push a variety of secrets into remote secretstores. This would allow the PushSecrets feature to be more broadly useful by allow the administrator to form secrets as necessary.
This would also satisfy the "least surprise" principle by using largely identical syntax for both ExternalSecrets and PushSecrets.