TL;DR allow alternative controllers/operators/steps to populate Secret resources from ExternalSecret CRDs; so add a backendType to the CRD which the external secrets controller ignores and indicates some custom/out of band mechanism does the population.
Background
We're using https://github.com/godaddy/kubernetes-external-secrets by default in Jenkins X 3.x now and its working awesome. However we have a requirement to support just regular kubernetes secrets (i.e. no vault / cloud secret storage) - particularly for low resource usage (e.g. folks trying Jenkins X on minikube).
We'd like to still use ExternalSecret CRDs though but have a backendType string we can use which if the external secrets controller is running its just ignored for that ExternalSecret. Maybe folks could combine custom backend with vault/others too?
This might sound strange; but from a GitOps perspective we want to check in all resources to git - apart from Secrets. So the pipelines in Jenkins X converts all Secret resources generated by helm / helmfile / kustomize / kpt to ExternalSecret resources and check them in.
Then when using vault / (Amazon | Azure | Google) Secret manager then the external secrets controller populates the Secret resources. When not using any of those, we can populate those Secret resources automatically via Jenkins X so we don't need the external secrets controller to do anything. So we basically want a kind of noop backendType.
Currently we've a minor hack ;) - when folks are not using vault / * Secret Manager, we install a modified version of the external secrets CRD which adds a new local backendType (then we don't install the external secrets controller) but it'd be nice to submit a PR on this git repository and add this backendType for real to both the CRD and the controller.
So I thought I'd raise this issue first to see what you thought about the idea. If you're cool with it I'll try create a PR.
While the use case for Jenkins X might seem fairly specific - I could see folks wanting to use custom scripts/pipelines/tools/mechanisms to populate Secret resources - but still reuse the ExternalSecret CRDs to describe the Secret resources that are required.
Aside
Incidentally we've got a little jx-secret CLI too for working with ExternalSecret resources and being able to edit them, import/export them, view which secrets are valid/populated + auto-generate them using a JSON-schema like schema (annotated on the ExternalSecret resources) or wait for the mandatory secrets to be populated etc. See the CLI reference docs here
I'm hoping to do a blog soon on how we're using external secrets; they are awesome!
Questions
What should we call this new noop backendType? I wondered about something like kubernetesSecret or something but maybe we need a name to indicate some out of band / custom process is used to populate them. So maybe custom for the backendType?
TL;DR allow alternative controllers/operators/steps to populate
Secretresources fromExternalSecretCRDs; so add abackendTypeto the CRD which the external secrets controller ignores and indicates some custom/out of band mechanism does the population.Background
We're using https://github.com/godaddy/kubernetes-external-secrets by default in Jenkins X 3.x now and its working awesome. However we have a requirement to support just regular kubernetes secrets (i.e. no vault / cloud secret storage) - particularly for low resource usage (e.g. folks trying Jenkins X on minikube).
We'd like to still use
ExternalSecretCRDs though but have abackendTypestring we can use which if the external secrets controller is running its just ignored for thatExternalSecret. Maybe folks could combine custom backend with vault/others too?This might sound strange; but from a GitOps perspective we want to check in all resources to git - apart from Secrets. So the pipelines in Jenkins X converts all
Secretresources generated by helm / helmfile / kustomize / kpt toExternalSecretresources and check them in.Then when using vault / (Amazon | Azure | Google) Secret manager then the external secrets controller populates the
Secretresources. When not using any of those, we can populate thoseSecretresources automatically via Jenkins X so we don't need the external secrets controller to do anything. So we basically want a kind ofnoopbackendType.Currently we've a minor hack ;) - when folks are not using vault / * Secret Manager, we install a modified version of the external secrets CRD which adds a new local
backendType(then we don't install the external secrets controller) but it'd be nice to submit a PR on this git repository and add thisbackendTypefor real to both the CRD and the controller.So I thought I'd raise this issue first to see what you thought about the idea. If you're cool with it I'll try create a PR.
While the use case for Jenkins X might seem fairly specific - I could see folks wanting to use custom scripts/pipelines/tools/mechanisms to populate
Secretresources - but still reuse theExternalSecretCRDs to describe theSecretresources that are required.Aside
Incidentally we've got a little jx-secret CLI too for working with
ExternalSecretresources and being able to edit them, import/export them, view which secrets are valid/populated + auto-generate them using a JSON-schema like schema (annotated on theExternalSecretresources) or wait for the mandatory secrets to be populated etc. See the CLI reference docs hereI'm hoping to do a blog soon on how we're using external secrets; they are awesome!
Questions
What should we call this new
noopbackendType? I wondered about something likekubernetesSecretor something but maybe we need a name to indicate some out of band / custom process is used to populate them. So maybecustomfor thebackendType?