Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Aws secretmanager secret creation from a kubernetes secret doesn't transfer all keys of k8s secret to the aws secret #783

Closed
arunpmohan opened this issue Jul 12, 2023 · 8 comments
Labels
bug Something isn't working needs:triage stale

Comments

@arunpmohan
Copy link

arunpmohan commented Jul 12, 2023

Upbound provider : 0.37
Crossplane version : 1.12

Trying to create a secret manager secret using the following yaml .

My kubernetes secret has 2 fields called test and test1.

kubectl describe secret ssh-key-secret
Name:         ssh-key-secret
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
test:   4 bytes
test1:  5 bytes
apiVersion: secretsmanager.aws.upbound.io/v1beta1
kind: Secret
metadata:
  name: atest
spec:
  deletionPolicy: Delete
  forProvider:
    forceOverwriteReplicaSecret: true
    name: atest
    recoveryWindowInDays: 0
    region: us-east-1
  managementPolicy: FullControl
  providerConfigRef:
    name: default
apiVersion: secretsmanager.aws.upbound.io/v1beta1
kind: SecretVersion
metadata:
  name: atest-ca-crt
spec:
  deletionPolicy: Delete
  forProvider:
    region: us-east-1
    secretId: arn:aws:secretsmanager:us-east-1:214812636930:secret:atest-LtThXD
    secretStringSecretRef:
      key: test
      name: ssh-key-secret
      namespace: default
  managementPolicy: FullControl
  providerConfigRef:
    name: default

The first problem here is that the key is mandatory unlike opensource crossplane provider where key is optional(https://doc.crds.dev/github.com/crossplane/provider-aws/secretsmanager.aws.crossplane.io/Secret/[email protected])
In the opensource provider if we dont provide the key it creates the whole secret on AWS secret manager with all present keys in the secret. This is very useful when we use tls secrets with certificates.

The second issue is that when we try to do both keys in the secret it only puts last operations value in aws. We tried to add the second key as follows. But then it overrides the previous one and i can see only test1 value on AWS console.

apiVersion: secretsmanager.aws.upbound.io/v1beta1
kind: SecretVersion
metadata:
  name: atest-2
spec:
  deletionPolicy: Delete
  forProvider:
    region: us-east-1
    secretId: arn:aws:secretsmanager:us-east-1:214812636930:secret:atest-LtThXD
    secretStringSecretRef:
      key: test1
      name: ssh-key-secret
      namespace: default
  managementPolicy: FullControl
  providerConfigRef:
    name: default

So in short we are unable to push multi key-value secrets to AWS secret manager.

@arunpmohan arunpmohan added bug Something isn't working needs:triage labels Jul 12, 2023
@arunpmohan arunpmohan changed the title Aws secretmanager secret creation from a kubernetes secret doesnt put all fields of secret Aws secretmanager secret creation from a kubernetes secret doesn't transfer all keys of k8s secret to the aws secret Jul 12, 2023
@mbbush
Copy link
Collaborator

mbbush commented Jul 12, 2023

The way I've managed to get this working is to construct a kubernetes secret with a single key, whose value is a stringified json object containing all the key:value pairs I want to be in secretsmanager.

This is not the most intuitive interface, but it works.

@arunpmohan
Copy link
Author

Thanks for your reply. In our case we really want to push a TLS secret which is automatically created by cert manager. So we dont have control on the data structure of this secret .

Copy link

github-actions bot commented Apr 3, 2024

This provider repo does not have enough maintainers to address every issue. Since there has been no activity in the last 90 days it is now marked as stale. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.

@tm-nadavsh
Copy link

+1 , this is very annoying, can we maybe open a feature request to make the secretStringSecretRef.key optional and if not exist push the whole secret in a key value format just like in the opensource crossplane provide?

Copy link

This provider repo does not have enough maintainers to address every issue. Since there has been no activity in the last 90 days it is now marked as stale. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.

@github-actions github-actions bot added the stale label Aug 18, 2024
Copy link

github-actions bot commented Sep 4, 2024

This issue is being closed since there has been no activity for 14 days since marking it as stale. If you still need help, feel free to comment or reopen the issue!

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Sep 4, 2024
@hhami-newday
Copy link

+1

1 similar comment
@alexwiedermann
Copy link

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working needs:triage stale
Projects
None yet
Development

No branches or pull requests

7 participants