Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SecretRef functionality #74

Open
danielloader opened this issue Feb 28, 2024 · 1 comment
Open

SecretRef functionality #74

danielloader opened this issue Feb 28, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@danielloader
Copy link

danielloader commented Feb 28, 2024

What problem are you facing?

I'd like to be able to implement secretRef lookups against secrets in the crossplane-system namespace to include the resulting key in my compositions as templated values.

{{ secretRef "secret-name" "key" }}

This would of course incur some kubernetes ServiceAccount privileges to read secrets, but these should be optional and this additional templating function should fail with an error if the sufficient privileges aren't configured.

I'm not sure if this is even possible.

How could this Function help solve your problem?

This would allow me to use external secrets operator to go get some secrets from AWS secrets manager and have them accessible in my compositions, or pre-seed the cluster via terraform creating secrets.

Currently the only alternative I can think of is EnvironmentConfig objects but they are closer to a configMap than secret per se, and even then I can't see them reliably in Terraform because Crossplane is installed by ArgoCD out of band and the CRD for EnvironmentConfigs won't exist yet.

Notes

I appreciate this might be out of scope for the go-templating function, and I'm not even sure if functions can be configured for external connectivity - I know they're designed to assume they don't have it, but I'm under the impression there's work being done for Resource Lookups in a function, to reference Crossplane Compositions/MRs natively in a pipeline, which itself would require some RBAC type permissions.

edit: Reference to design proposal for network enabled functions: https://github.com/crossplane/crossplane/blob/master/design/design-doc-observe-only-resources.md#querying-and-filtering

apiVersion: apiextensions.crossplane.io/v2alpha1
kind: Composition
metadata:
  name: example
spec:
  compositeTypeRef:
    apiVersion: database.example.org/v1alpha1
    kind: XPostgreSQLInstance
  functions:
    - name: query-aws
      type: Container
      container:
        image: xkpg.io/query-aws:0.1.0
        # We need to access AWS API to make the queries. 
        network: Accessible
      config:
        apiVersion: query.aws.upbound.io/v1alpha1
        kind: VPC
        metadata:
          name: find-default-vpc
        spec:
          region: us-east-1
          default: true
@danielloader danielloader added the enhancement New feature or request label Feb 28, 2024
@phisco
Copy link
Collaborator

phisco commented Apr 10, 2024

this should be addressed either by crossplane/crossplane#5543 or wrapping a secret in a provider-kubernetes Object and then getting it using extra resources either via function-extra-resources or #83.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants