You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'd like to be able to implement secretRef lookups against secrets in the crossplane-system namespace to include the resulting key in my compositions as templated values.
{{ secretRef "secret-name" "key" }}
This would of course incur some kubernetes ServiceAccount privileges to read secrets, but these should be optional and this additional templating function should fail with an error if the sufficient privileges aren't configured.
I'm not sure if this is even possible.
How could this Function help solve your problem?
This would allow me to use external secrets operator to go get some secrets from AWS secrets manager and have them accessible in my compositions, or pre-seed the cluster via terraform creating secrets.
Currently the only alternative I can think of is EnvironmentConfig objects but they are closer to a configMap than secret per se, and even then I can't see them reliably in Terraform because Crossplane is installed by ArgoCD out of band and the CRD for EnvironmentConfigs won't exist yet.
Notes
I appreciate this might be out of scope for the go-templating function, and I'm not even sure if functions can be configured for external connectivity - I know they're designed to assume they don't have it, but I'm under the impression there's work being done for Resource Lookups in a function, to reference Crossplane Compositions/MRs natively in a pipeline, which itself would require some RBAC type permissions.
apiVersion: apiextensions.crossplane.io/v2alpha1kind: Compositionmetadata:
name: examplespec:
compositeTypeRef:
apiVersion: database.example.org/v1alpha1kind: XPostgreSQLInstancefunctions:
- name: query-awstype: Containercontainer:
image: xkpg.io/query-aws:0.1.0# We need to access AWS API to make the queries. network: Accessibleconfig:
apiVersion: query.aws.upbound.io/v1alpha1kind: VPCmetadata:
name: find-default-vpcspec:
region: us-east-1default: true
The text was updated successfully, but these errors were encountered:
this should be addressed either by crossplane/crossplane#5543 or wrapping a secret in a provider-kubernetes Object and then getting it using extra resources either via function-extra-resources or #83.
What problem are you facing?
I'd like to be able to implement secretRef lookups against secrets in the crossplane-system namespace to include the resulting key in my compositions as templated values.
{{ secretRef "secret-name" "key" }}
This would of course incur some kubernetes ServiceAccount privileges to read secrets, but these should be optional and this additional templating function should fail with an error if the sufficient privileges aren't configured.
I'm not sure if this is even possible.
How could this Function help solve your problem?
This would allow me to use external secrets operator to go get some secrets from AWS secrets manager and have them accessible in my compositions, or pre-seed the cluster via terraform creating secrets.
Currently the only alternative I can think of is EnvironmentConfig objects but they are closer to a configMap than secret per se, and even then I can't see them reliably in Terraform because Crossplane is installed by ArgoCD out of band and the CRD for EnvironmentConfigs won't exist yet.
Notes
I appreciate this might be out of scope for the go-templating function, and I'm not even sure if functions can be configured for external connectivity - I know they're designed to assume they don't have it, but I'm under the impression there's work being done for Resource Lookups in a function, to reference Crossplane Compositions/MRs natively in a pipeline, which itself would require some RBAC type permissions.
edit: Reference to design proposal for network enabled functions: https://github.com/crossplane/crossplane/blob/master/design/design-doc-observe-only-resources.md#querying-and-filtering
The text was updated successfully, but these errors were encountered: