crossplane-contrib
Support for secrets provided via Secrets Store CSI Driver
What problem are you facing?
Currently, MySQLConnectionSecret expects a Secret object as per:
kubectl create secret generic db-conn \
--from-literal=username=admin \
--from-literal=password='t0ps3cr3t' \
--from-literal=endpoint=my.sql-server.com \
--from-literal=port=3306
This implies that users need permissions to run kubectl create secret in the cluster.
In CI/CD pipelines where users have no permissions to run kubectl commands (and all code is persisted in repositories), the ability to inject secrets in the cluster via https://secrets-store-csi-driver.sigs.k8s.io/introduction.html is ideal. This is particularly useful in the context of Cloud environments where secrets are created in Secret Manager tools like GCP's Secret Manager.
How could Crossplane help solve your problem?
provider-sql could support secrets mounted via secrets-store-csi-driver.
Two notes;
- CSI supports kubernetes secrets, but as the provider access them using the API instead of mounting them, this will not help here: https://secrets-store-csi-driver.sigs.k8s.io/topics/sync-as-kubernetes-secret.html (except for hacks: if you do enable this feature and mount it to the pod, it will work, but that does not scale to "cattle" configurations, only "pet databases")
- This use case was defined as out of scope for the initial version of pluggable secret stores: https://github.com/crossplane/crossplane/blob/master/design/design-doc-external-secret-stores.md#out-of-scope
@guilledipa but I think most users here will create the database with a randomly generated password in a crossplane composition, so no humans need Secret access at all. Are you using provider-sql without crossplane?
I'm sorry for the slow answer!
@guilledipa would an ESO integration be equally functional for you? Yes, ESO would keep the
Secretobject in sync with a provider and therefore fulfil the requirements.