Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add controller field to SecretStore to allow for multiple ambient credential deployments #78

Open
mcavoyk opened this issue Oct 25, 2020 · 1 comment
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@mcavoyk
Copy link
Collaborator

mcavoyk commented Oct 25, 2020

Is your feature request related to a problem? Please describe.
Only one controller using "ambient" credentials (credentials which make up the controllers environment variables or volumes) can be used per namespace/cluster. The controller with ambient creds has no method of scoping what SecretStore's the controller is owner of.

Describe the solution you'd like
Add controller field to SecretStore types which can provide an optional scoping mechanism when either using multiple secret-managers with ambient credentials or mixed ambient/explicit creds. An example would be to deploy a controller with AWS IRSA authentication which has ambient creds for aws secret manager and/or vault secret store with AWS auth, but this controller is scoped to only SecretStore's with "aws" string in the controller field. Another secret-manager could be deployed to cover explicit default controllers.

Describe alternatives you've considered
One other solution is to disallow the use of ambient credentials and force explicit credentials. This may not be preferred as cloud providers can offer secure ways to manage ambient credentials for their systems (like AWS IRSA #77) .

/kind feature

@mcavoyk mcavoyk added the kind/feature Categorizes issue or PR as related to a new feature. label Oct 25, 2020
@mcavoyk
Copy link
Collaborator Author

mcavoyk commented Oct 25, 2020

I have mixed feelings around ambient credentials. They are a bit tricky to test (often times we have to rely on the specific SDK's "just working" and set the ENV vars they expect), but can be really useful from a deployment perspective. Having to deploy multiple secret-managers per cluster to deal with multiple sets of ambient creds feels like the wrong solution.

I think another reasonable option here is as mentioned is to force explicit and disallow ambient, but then to also offer "serviceaccount selector" in cases where a Kubernetes service account token is used as authentication (like AWS IRSA, Vault Kubernetes auth, etc).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Development

No branches or pull requests

1 participant