projectsyn/commodore

Allow components to define secret ref templates

simu opened this issue · 0 comments

simu commented

Context

Sometimes, it would be nice to generate secret refs from a template based on some information present in the config hierarchy.

Currently the naive approach of simply providing the rendered secret references directly in Jsonnet doesn't work:

local secrets = [
  kube.Secret(it.name + '_credentials') {
    metadata+: {
      namespace: it.namespace,
    },
    stringData+: {
      password: '?{vaultkv:%s/%s/component/%s_password}' % [ inv.parameters.cluster.tenant, inv.parameters.cluster.name, it.name ],
    },
  }
  for it in params.items
];

with inventory

parameters:
  component:
    items:
      - name: item1
        namespace: ns1

results in

Could not find ref backend for tag: ?{vaultkv:<tenant-id>/<cluster-id>/component/item1_password}

The problem is that Commodore can't find the secret ref embedded in the component's Jsonnet code, and therefore doesn't generate the ref file in catalog/refs/.

Implementation idea

Maybe we could introduce a component meta-parameter which component authors can use to specify secret ref templates and associated input data which Commodore can use to generate appropriate secret refs.

I'm envisioning something like

parameters:
  component:
    =_metadata:
      secret_ref_templates:
        - template: '${cluster:tenant}/${cluster:name}/component/%s_password'
          args:
            - name
          data: ${component:items}

    items:
      - name: item1
        namespace: ns1

And commodore would do something like

def generate_computed_refs(...):
   component_params = inventory["component"]
   for tpl in component_params["_metadata"]["secret_ref_templates"]:
       for it in tpl["data"]:
           fmt_args = []
           for a in tpl["args"]:
              fmt_args = fmt_args.append(it[a])
           render_ref(ref=tpl["template"].format(fmt_args))

Alternatives

  • Don't support this in Commodore and require users to provide expanded secret refs in lists if necessary (this is currently the only feasible workaround)
  • Introduce component "pre-processing" step, in which components can specify actions that should be executed before Kapitan is executed and implement an action which allows components to generate additional secret references.