Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow secret exports to filter the exportable fields #36

Open
cjnosal opened this issue Oct 18, 2021 · 4 comments
Open

Allow secret exports to filter the exportable fields #36

cjnosal opened this issue Oct 18, 2021 · 4 comments
Labels
carvel-accepted This issue should be considered for future work and that the triage process has been completed discussion This issue is not a bug or feature and a conversation is needed to find an appropriate resolution enhancement This issue is a feature request priority/unprioritized-backlog Higher priority than priority/awaiting-more-evidence but not planned. Contributions are welcome.

Comments

@cjnosal
Copy link

cjnosal commented Oct 18, 2021

Describe the problem/challenge you have
I would like to export the ca.crt and tls.crt of a kubernetes.io/tls secret without exporting the private tls.key (or more generally, only export the public portion of asymmetric cryptography secrets, or an arbitrary subset of Opaque secrets).

Describe the solution you'd like
New optional fields in the SecretExport.spec (e.g. exportField, exportFields) to specify which portions of a secret to offer for export.
@cjnosal cjnosal added carvel-triage This issue has not yet been reviewed for validity enhancement This issue is a feature request labels Oct 18, 2021
@cppforlife
Copy link
Contributor

that seems like a good feature to have. though we may run into a validation problem for destinatino secret since some types require to have X keys present. (may be keep them empty?)

@cjnosal
Copy link
Author

cjnosal commented Oct 22, 2021

Yeah, for now we're using an opaque secret to only store the ca.crt, which is unfortunate.
kubectl create secret tls validates the key and cert are valid PEM files (with no CA arg), but kubectl apply will allow empty strings for tls.key/tls.crt.

Absent TLS-aware logic in the controller, a fully generic config might need to have include/exclude/truncate fields in the export?

Though I suppose there's the risk of a future k8s version / validating webhook with stronger opinions ...

@joe-kimmel-vmw joe-kimmel-vmw added carvel-accepted This issue should be considered for future work and that the triage process has been completed discussion This issue is not a bug or feature and a conversation is needed to find an appropriate resolution priority/unprioritized-backlog Higher priority than priority/awaiting-more-evidence but not planned. Contributions are welcome. and removed carvel-triage This issue has not yet been reviewed for validity labels Dec 22, 2021
@cppforlife
Copy link
Contributor

related: #54

@neil-hickey
Copy link
Contributor

@cppforlife did PR #54 fix the issue presented? Or shall I leave this one open?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
carvel-accepted This issue should be considered for future work and that the triage process has been completed discussion This issue is not a bug or feature and a conversation is needed to find an appropriate resolution enhancement This issue is a feature request priority/unprioritized-backlog Higher priority than priority/awaiting-more-evidence but not planned. Contributions are welcome.
Projects
Carvel
Status: Unprioritized
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cppforlife @cjnosal @neil-hickey @joe-kimmel-vmw