Creating External Config Maps

[12345ieee]

Is your feature request related to a problem? Please describe.
I know, I know, it's called the External Secret operator.

I make heavy use of Hashicorp Vault for storing data that is not really secret, just needs to be accessed by several teams and machines and there is no need for it to be hidden in-cluster.
I'm not sure there is a nice developer and user UX for this, so feel free to disregard, but I'll try below.

Describe the solution you'd like
Creating new {Cluster,}ExternalConfigMap CRD for this is clearly overkill and would increase the maintenance burden enormously.

The simplest solution looks to me adding a kind: {ConfigMap,Secret} (defaults to Secret) into the target.template of an ExternalSecretSpec.
Validation should then be performed on target.template.type, which must be empty if kind is ConfigMap.
Everything else can stay as-is as far as I can see, thankfully Secrets and ConfigMaps are really similar.

Describe alternatives you've considered
Just using Secrets and telling the dev teams to decrypt them by hand, they'll live with it if you guys don't like this.

Additional context
I've searched for ConfigMap-related issues on GH, none popped up, feel free to direct me if this was already rejected.

[12345ieee]

I have just seen https://github.com/external-secrets/external-secrets/blob/main/design/design-crd-spec.md#non-goals .

Closing, sorry for the noise.

[moolen]

Hey @12345ieee, no worries. Yes, this is/was a non-goal in the initial design.
However, this question / feature-request came up quite a lot recently. This hasn't been documented in an GitHub issue yet, so i'll re-open it to see if there's a high demand for it.

thankfully Secrets and ConfigMaps are really similar

To add to that: A user wanted ESO to create/patch custom resources, IIRC it was in context with prometheus operator. So this is another thing we should keep in the back of our mind if we come up with a design proposal for this feature.

[yuliyantsvetkov]

Well, same can be achieved by just loading the value of whatever you want in ConfigMap as Secret - for the container is just plaintext value at the end.

Secret and ConfigMap are still limited to 1 megabyte.

Yes, the base64 adds 1/4 of the size limiting your Secret to ~ 750kb, but if you have such Secret...you actually have bigger problems.

[csantanapr]

Hi I’m interested on this feature some open source projects like ArgoCD requires configuration like SSO login to be store as configmap this contains things like OIDC client secret

it would be great to support configmap or any resource using a a template where one can specify the apigroup version and kind

[joaocc]

Hi. In the meantime (as I would also like to keep number of operators low), did you try this project https://github.com/mittwald/kubernetes-replicator to address the CM replication needs?

[ilbarone87]

Hi I’m interested on this feature some open source projects like ArgoCD requires configuration like SSO login to be store as configmap this contains things like OIDC client secret

it would be great to support configmap or any resource using a a template where one can specify the apigroup version and kind

I'm having the same issue atm. How did you solve it?

[gusfcarvalho]

this is something very recurring, impacting first class consumers of external-secrets operator (as pointed out in here #2503 (comment) - this is needed for setting up any OIDC in ArgoCD - even though OIDC Client IDs are not exactly sensitive information, several organizations demand by policy that they are treated as such).

I'll create a design doc for it

To add to that: A user wanted ESO to create/patch custom resources, IIRC it was in context with prometheus operator. So this is another thing we should keep in the back of our mind if we come up with a design proposal for this feature.

Design doc will also take this into account.

[vladfr]

The mechanism in ESO can be used as a hub-spoke model. ClusterSecretStore acts like a hub, and spokes pull from it into various namespaces. This is quite useful for configuration.

Our use-case is a multi-tenant deployment of ingress controllers, where tenants can configure various Envoy filters. There are secret and non-secret values. Using ESO in this case to distribute configs to tenant Envoys makes a lot of sense, easing operational burden and standardizing on a single solution.

@gusfcarvalho It would be great to see Sync to Custom Resources implemented.