Skip to content
This repository was archived by the owner on Jul 26, 2022. It is now read-only.
This repository was archived by the owner on Jul 26, 2022. It is now read-only.

add a new custom backend for extensions? #476

Description

@jstrachan

TL;DR allow alternative controllers/operators/steps to populate Secret resources from ExternalSecret CRDs; so add a backendType to the CRD which the external secrets controller ignores and indicates some custom/out of band mechanism does the population.

Background

We're using https://github.com/godaddy/kubernetes-external-secrets by default in Jenkins X 3.x now and its working awesome. However we have a requirement to support just regular kubernetes secrets (i.e. no vault / cloud secret storage) - particularly for low resource usage (e.g. folks trying Jenkins X on minikube).

We'd like to still use ExternalSecret CRDs though but have a backendType string we can use which if the external secrets controller is running its just ignored for that ExternalSecret. Maybe folks could combine custom backend with vault/others too?

This might sound strange; but from a GitOps perspective we want to check in all resources to git - apart from Secrets. So the pipelines in Jenkins X converts all Secret resources generated by helm / helmfile / kustomize / kpt to ExternalSecret resources and check them in.

Then when using vault / (Amazon | Azure | Google) Secret manager then the external secrets controller populates the Secret resources. When not using any of those, we can populate those Secret resources automatically via Jenkins X so we don't need the external secrets controller to do anything. So we basically want a kind of noop backendType.

Currently we've a minor hack ;) - when folks are not using vault / * Secret Manager, we install a modified version of the external secrets CRD which adds a new local backendType (then we don't install the external secrets controller) but it'd be nice to submit a PR on this git repository and add this backendType for real to both the CRD and the controller.

So I thought I'd raise this issue first to see what you thought about the idea. If you're cool with it I'll try create a PR.

While the use case for Jenkins X might seem fairly specific - I could see folks wanting to use custom scripts/pipelines/tools/mechanisms to populate Secret resources - but still reuse the ExternalSecret CRDs to describe the Secret resources that are required.

Aside

Incidentally we've got a little jx-secret CLI too for working with ExternalSecret resources and being able to edit them, import/export them, view which secrets are valid/populated + auto-generate them using a JSON-schema like schema (annotated on the ExternalSecret resources) or wait for the mandatory secrets to be populated etc. See the CLI reference docs here

I'm hoping to do a blog soon on how we're using external secrets; they are awesome!

Questions

What should we call this new noop backendType? I wondered about something like kubernetesSecret or something but maybe we need a name to indicate some out of band / custom process is used to populate them. So maybe custom for the backendType?

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions