Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

🗺️ Design for dataFrom key rewrite (#1188)

* design for dataFrom key rewrite

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>

* Update design/004-datafrom-key-rewrite.md

Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>

* Update design/004-datafrom-key-rewrite.md

Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>

* Adding drawbacks and examples. Changing CRDs to have  block

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>

Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
Gustavo Fernandes de Carvalho 3 years ago
parent
7eff8db532
commit
4db9017d2e
3 changed files with 172 additions and 0 deletions
Unified View Show Diff Stats
  1. 0 0
      design/002-secretsink.md
  2. 0 0
      design/003-cluster-external-secret-spec.md
  3. 172 0
      design/004-datafrom-key-rewrite.md

design/001-secretsink.md → design/002-secretsink.md
View File


design/cluster-external-secret-spec.md → design/003-cluster-external-secret-spec.md
View File


+ 172 - 0
design/004-datafrom-key-rewrite.md
View File 

@@ -0,0 +1,172 @@
 
+```yaml
 
+---
 
+title: dataFrom key rewrite
 
+version: v1alpha1
 
+authors: 
+creation-date: 2022-05-25
 
+status: draft
 
+---
 
+```
 
+
 
+# Datafrom Key Rewrite
 
+
 
+## Table of Contents
 
+
 
+<!-- toc -->
 
+// autogen please
 
+<!-- /toc -->
 
+
 
+
 
+## Summary
 
+DataFrom key rewrite aims to give users the possibility to rewrite secret keys before manipulating into a template. This feature is specially useful with the addition of `dataFrom.find` introduced in v0.5.0, as a way to allow users to rewrite secret keys in batches, without knowing the full content of the key.
 
+
 
+## Motivation
 
+It is hard to administer key creation without having weird names that convolutes with the path. It is natural to have a feature to allow secret Keys manipulation both from the lifecycle of the secret management and as part of the templating feature.
 
+
 
+### Goals
 
+- CRD Design for dataFrom key rewrite
 
+
 
+### Non-Goals
 
+Do not implement secret values rewrite - this should be done with templating - nor handle initial secret value conversion (see [#920](https://github.com/external-secrets/external-secrets/issues/920)). 
+
 
+### Terminology
 
+- Secret Key: the kubernetes secret key, aka the `string` in `map[string][]byte` in the codebase used to render Kubernetes Secrets.
 
+
 
+## Proposal
 
+
 
+Add a rewrite step after applying either `GetSecretMap` or `GetAllSecrets`, but before applying any conversion logic. This allows us to apply individual mappings to different `dataFrom` groups so they can be composed well together in combination with `data` (see example below).
 
+
 
+### User Stories
 
+1. As an user I want to be able to remove paths from my Secret Keys
 
+2. As an user I want to be able to customize secret keys to have more meaningful value to the tenants consuming it.
 
+3. As an user I want external-secrets to tell me if there is any rewrite conflict and not to overwrite secrets information.
 
+
 
+### API
 
+Proposed CRD changes:
 
+
 
+```yaml
 
+apiVersion: external-secrets.io/v1beta1
 
+kind: ExternalSecret
 
+metadata:
 
+  name: sample
 
+  namespace: default
 
+spec:
 
+  refreshInterval: 1m
 
+  target:
 
+   name: foobar
 
+  secretStoreRef:
 
+    name: secretstore-sample
 
+    kind: SecretStore
 
+  dataFrom:
 
+    - extract:
 
+        key: /foo/bar
 
+      rewrite:
 
+      - regexp:
 
+          source: my-known-key
 
+          target: new_key_name
 
+      - regexp: 
+          source: my-unknown-(.*)
 
+          target: unknown-$1
 
+    - find:
 
+        conversionStrategy: Unicode
 
+        path: "my/path/"
 
+        name:
 
+          regexp: "my-pattern"
 
+      rewrite:
 
+      -  regexp: 
+            source: my/path/(.*)
 
+            target: $1
 
+      -  regexp:          
+            source: creds/(db|system)/(.*)
 
+            target: $2-$1
 
+    - find:
 
+        conversionStrategy: Default
 
+        path: "my/path/"
 
+        tags:
 
+          env: dev
 
+      rewrite:
 
+      - regexp:
 
+         source: my/path/(.*)
 
+         target: dev-$1
 
+
 
+```
 
+
 
+### Behavior
 
+After applying `GetAllSecrets` or `GetSecretMap`, a rewrite logic is applied by using regular expressions capture groups. This will convert the Secret Keys according to a given standard, possibly even up to a well known key for the `GetSecretMap`. After the key rewrite is done, the `ConversionStrategy` should be applied, and then the new collection of Secret Keys (`map[string][]byte`) can be rendered to template.
 
+
 
+#### Examples
 
+
 
+* adding a prefix/suffix - will transform `my-secret` in `my-preffix-my-secret-my-suffix`
 
+```
 
+      rewrite:
 
+      - regexp:
 
+         source: (.*)
 
+         target: my-preffix-$1-my-suffix
 
+```
 
+* removing a prefix/suffix - will transform `my-preffix-my-secret-my-suffix` into `my-secret`
 
+```
 
+      rewrite:
 
+      - regexp:
 
+         source: my-preffix-(.*)-my-suffix
 
+         target: $1
 
+```
 
+* Replacing characters - will transform `my/path/reader_db.creds-webapp` into `my-path-reader-db-creds-webapp`
 
+```
 
+      rewrite:
 
+      - regexp:
 
+         source: \.|-|_|/ #standardizing separation with '-'
 
+         target: -
 
+
 
+```
 
+
 
+* Removing path from the key name - will transform `my/path/reader-db-creds-webapp` into `reader-db-creds-webapp`
 
+```
 
+    - find:
 
+        conversionStrategy: Default
 
+        path: "my/path/"
 
+        tags:
 
+          env: dev
 
+      rewrite:
 
+      - regexp:
 
+         source: my/path/(.*)
 
+         target: $1
 
+### 
+```
 
+
 
+* Combining operations - will transform `my/path/reader-db-creds-webapp` into `db-creds-reader`
 
+```
 
+    - find:
 
+        conversionStrategy: Default
 
+        path: "my/path/"
 
+        tags:
 
+          env: dev
 
+      rewrite:
 
+      - regexp:
 
+         source: my/path/(?P<secret>.*)
 
+         target: $secret
 
+      - regexp:
 
+         source: (?U)(?P<role>.*)-(?P<app>.*)-webapp
 
+         target: $app-$role
 
+```
 
+
 
+
 
+### Drawbacks
 
+
 
+It would not be trivial to replace a specific set of existing characters for new characters with this strategy. This could be implemented with a `replace` method afterwards.
 
+
 
+There are also some known limitations to golang regexp library, which implementes RE2. Some of the known limitations include:
 
+* Lack of ability to do lookaheads or lookbehinds
 
+* Lack of negation expressions
 
+* Lack of support to conditionl branches.
 
+* Lack of support to possessive repetitions.
 
+  
+A list of compatibility and known limitations considering other commonly used regexp frameworks (such as PCRE and PERL) are listed here https://github.com/google/re2/wiki/Syntax
 
+
 
+### Acceptance Criteria
 
++ If multiple keys have the same name an error should happen to the user referencing the original Secret Keys.
 
++ A rewrite respects the regular expression limits
 
++ A rewrite is compatible with `dataFrom.extract` and `dataFrom.find`
 
++ It should be possible to remove paths with the `rewrite` operation.
 
+
 
+## Alternatives
 
+Add provider-specific ConversionStrategies, which would be painfully hard to maintain.