Comments (9)
I absolutely see the use-case! Is there something which you can not do through the Kubernetes API server? I'm a little hesitant adding this kind of feature because it involves duplicating a lot of features that are already present in the API server (authentication, authorization, TLS, list by label, cross-referencing resources).
I mean, it's a simple kubectl annotate externalsecret foobar rotate=$(date +%s)
away. You can do this via CronJob or some Kubernetes SDK.
Every other user presumably needs other rotation criteria (rotate by secret path/label/namespace/ns-by-selector/es-name/...) and in the end all that ends up in this operator while it can already be done through the API server.
I definitely see a lack of documentation here like a guide with examples or a blog post explaining how to do that.
from external-secrets.
From the docs
This command will compare the version of the configuration that you're pushing with the previous version and apply the changes you've made, without overwriting any automated changes to properties you haven't specified.
Apply basically ensures that the stuff from your repo is exactly how you intend it to be while leaving all other fields as they are.
from external-secrets.
@moolen @mcavoyk is this somethink that makes sense in ESO?
@cep21 Would you be willing to implement this an sending us a PR?
from external-secrets.
This project has the advantage of a refreshInterval
that is definable per ExternalSecret
rather than at a controller level, so polling can more easily be reduced compared to the polling in KES. I think some more controls over the provider rate limiting could be added to the SecretStore
spec, but I'm unsure how well a webhook fits into our current operator.
from external-secrets.
We have a very large cluster and lots of secrets. What's the problem with webhooks like
- /refresh&secret= that refreshes the external secret at this namespace/name
- /refresh&external_path=<secret_path> that refreshes all external secrets that reference a secret at a path
from external-secrets.
I agree @moolen, I should have been more specific that my previous statement was in-regards to supporting a specific webhook service for the operator.
A refresh action is already support based on the current implementation of ExternalSecret. Any update to the ES, like an annotation being added/updated, will trigger a refresh of the secret. This should be added to the documentation as mentioned.
from external-secrets.
We manage our kubernetes objects via gitops (Flux). It's a bit more annoying to setup a pipeline from SecretsManager -> Clone Repo -> Modify file ->Git Push -> Bot PR accept -> Git Merge -> Push than it is to setup SecrestManager -> webhook, and it will pollute our git repository with a bunch of commits, but it's not the end of the world.
It's good to know the annotation does a refresh. I agree with others it would help to move it from "implementation detail" to "guaranteed behavior".
from external-secrets.
I think the annotation doesn't need to be committed in the repo, i'd say it's kind of similar to the kubectl/last-applied-configuration
annotation or generated values (uid, creationTimestamp, managedFields..). Yes, they are important for the cluster and something makes use of it but it shouldn't be stored in a git repo because it's something that belongs to the cluster where the resource is located at.
Flux and ArgoCD use apply
semantics to update resources, so i don't think it's an issue to just add a label. I suppose it won't even notice something has changed.
from external-secrets.
This is great information. So annotations are ignored by apply and not unsynced normally by gitops? Thanks for the info!
from external-secrets.
Related Issues (20)
- [AWS] Support the new EKS Pod Identity Agent HOT 21
- Use Managed Identity on On-Premise Kubernetes Cluster HOT 2
- Enrolling ES operator into RedHat Servicemesh
- Add decoding Strategies to PushSecret HOT 1
- allow creation of additional manifests in values file
- Add support to override IAM endpoint in IBM provider for APIkey authentication
- HA setup for ESO in case of zone unavailability (IBM Secret Manager) HOT 3
- Docu page does not reflect latest docu state for datafrom for IBM Secret Manager HOT 2
- Replace deprecated `set-output` command with environment file
- GitHub secrets provider HOT 1
- Automate Secret synchronization when the value is changed by a webhook event or API HOT 2
- Change SecretStoreSpec.RefreshInterval int -> *metav1.Duration HOT 2
- Release 0.9.11
- Webhook Pod outputs TLS handshake errors HOT 5
- Helm chart section to add custom resources to the chart like `extraDeploy` or `extraObjects` HOT 1
- [Suggestion] dataFrom for a directory HOT 24
- Release x.y HOT 1
- could not write remote ref to target secretstore gsm: pushing the whole secret is not yet implemented HOT 1
- Add support for Pulumi ESC
- Global image repository not used in components HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from external-secrets.