Enable Secret References to hide sensitive data #223
Description
What problem are you facing?
Management of K8s secrets leaks data in the Object that creates the Secret.
Kubernetes apply will publish the secret data in the annotation (see wontfix kubernetes/kubernetes#29923). This makes sense on the Secret itself, however provider-kubernetes includes the secret data in the Object annotations and in spec.forProvider.manifest
PR #193 addressed this in the object's status, but we are still leaking data in the managed Object.
For example, creating the following secret using a patch from another Secret will leak the data in spec.forProvider.manifest:
---
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
name: secretpatch
spec:
references:
# Use patchesFrom to patch field from other k8s resource to this object
- patchesFrom:
apiVersion: v1
kind: Secret
name: secretpatch
namespace: crossplane-system
fieldPath: data.sensitive
toFieldPath: data.key-from-secret
forProvider:
manifest:
apiVersion: v1
kind: Secret
metadata:
namespace: default
data: {}
providerConfigRef:
name: kubernetes-provider
---
apiVersion: v1
kind: Secret
metadata:
name: secretpatch
namespace: crossplane-system
type: Opaque
data:
sensitive: cGFzc3dvcmQ=# kubectl get object.kubernetes.crossplane.io/secretpatch -o yaml
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
annotations:
crossplane.io/external-create-pending: "2024-04-16T15:03:32Z"
crossplane.io/external-create-succeeded: "2024-04-16T15:03:32Z"
crossplane.io/external-name: secretpatch
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"kubernetes.crossplane.io/v1alpha2","kind":"Object","metadata":{"annotations":{},"name":"secretpatch"},"spec":{"forProvider":{"manifest":{"apiVersion":"v1","data":{},"kind":"Secret","metadata":{"namespace":"default"}}},"providerConfigRef":{"name":"kubernetes-provider"},"references":[{"patchesFrom":{"apiVersion":"v1","fieldPath":"data.sensitive","kind":"Secret","name":"secretpatch","namespace":"crossplane-system"},"toFieldPath":"data.key-from-secret"}]}}
creationTimestamp: "2024-04-16T15:03:32Z"
finalizers:
- finalizer.managedresource.crossplane.io
generation: 3
name: secretpatch
resourceVersion: "361526"
uid: 97cc668a-16ce-46a0-926c-8b0dbb79865c
spec:
deletionPolicy: Delete
forProvider:
manifest:
apiVersion: v1
data:
key-from-secret: cGFzc3dvcmQ=
kind: Secret
metadata:
namespace: default
managementPolicies:
- '*'
providerConfigRef:
name: kubernetes-provider
readiness:
policy: SuccessfulCreate
references:
- patchesFrom:
apiVersion: v1
fieldPath: data.sensitive
kind: Secret
name: secretpatch
namespace: crossplane-system
toFieldPath: data.key-from-secret
status:
atProvider:
manifest:
apiVersion: v1
data:
redacted: null
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"v1","data":{"key-from-secret":"cGFzc3dvcmQ="},"kind":"Secret","metadata":{"namespace":"default"}}'
creationTimestamp: "2024-04-16T15:03:32Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:key-from-secret: {}
f:metadata:
f:annotations:
.: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
f:type: {}
manager: crossplane-kubernetes-provider
operation: Update
time: "2024-04-16T15:03:32Z"
name: secretpatch
namespace: default
resourceVersion: "361522"
uid: 49f2fad2-6670-4b0a-bfee-5be53faeeb1a
type: Opaque
conditions:
- lastTransitionTime: "2024-04-16T15:03:32Z"
reason: Available
status: "True"
type: Ready
- lastTransitionTime: "2024-04-16T15:03:32Z"
reason: ReconcileSuccess
status: "True"
type: SyncedHow could Crossplane help solve your problem?
I'm not sure what the proper solution is, some ideas I had:
- Maybe we could have something like a
SecretRefthat pulls selected keys during the Observe loop. - Have a special
SecretObject - Update
patchesFromto hide fields in the forProvider