Reloader icon indicating copy to clipboard operation
Reloader copied to clipboard
verified publisher icon stakater

[Feature Suggestion] Support for watching secretproviderclasspodstatuses in addition to secrets and configmaps (CSI driver)

Open dpkano opened this issue 2 years ago • 5 comments

Hi,

Now that many projects are choosing to use CSI drivers to deliver their secrets into their workloads directly (as a file in the fs), a secret rotation does not involve K8s secrets. Whenever a new version of a secret is delivered via CSI driver, the object secretproviderclasspodstatuses.secrets-store.csi.x-k8s.io is updated with version information.

If Reloader watched these objects, we could still do a rolling upgrade of our workloads using Reloader when migrating to using CSI driver delivered secrets.

Would this community be interested in such feature?

Cheers, Daniel

dpkano avatar Apr 26 '23 17:04 dpkano

Agree, will be great to have this feature.

tutunak avatar Aug 14 '23 10:08 tutunak

Hi @dpkano , are you guys working on implementing this? Is there any help needed or something that can be worked on together? Having CSI support would be an imense help for all software that doesn't live check files for changes.

UXabre avatar Oct 13 '23 14:10 UXabre

Hi @UXabre, I've had a quick peek at the changes we need using Reloader. But, I think a simpler approach could be to use the Informer from the secretproviderclasspodstatuses to trigger a rolling upgrade for the controller (deployment, statefulset, daemonset, and more). This could be a neat short-term fix. If it pans out, I'll drop it on GitHub.

dpkano avatar Oct 13 '23 15:10 dpkano

Hello Team,

is there any updates about this feature ? CSI driver is common approach to be used for secrets, and this will be great improvement for Reloader.

zeenmc avatar Jun 11 '24 16:06 zeenmc

+1 for this. We use AWS secrets manager to store + CSI driver to load secrets. This would be really useful feature.

sanilcredcore avatar Aug 06 '24 07:08 sanilcredcore