allow writing secrets to nested folders #125

tam7t · 2021-06-30T22:25:07Z

Currently the fileName parameter in the SecretProviderClass parameters cannot have a path separator and is validated by k8s.io/apimachinery/pkg/util/validation.IsConfigMapKey.

A user may want to organize secrets into folder within the mount:

apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: app-secrets
spec:
  provider: gcp
  parameters:
    secrets: |
      - resourceName: "<RESOURCE_ID>"
        fileName: "api.key"
      - resourceName: "<RESOURCE_ID>"
        fileName: "tls/cert.pem"
      - resourceName: "<RESOURCE_ID>"
        fileName: "tls/key.pem"
      - resourceName: "<RESOURCE_ID>"
        fileName: "foo/bar/baz.txt"

Now that all file writes are handled by the driver (#98) and the driver itself uses the same AtomicWriter as other K8s secrets this should be possible without re-introducing CVE-2020-8567

The text was updated successfully, but these errors were encountered:

tam7t added the feature label Jun 30, 2021

tam7t self-assigned this Aug 20, 2021

tam7t mentioned this issue Aug 25, 2021

feat: allow nested paths #136

Merged

tam7t closed this as completed in #136 Aug 26, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

allow writing secrets to nested folders #125

allow writing secrets to nested folders #125

tam7t commented Jun 30, 2021

allow writing secrets to nested folders #125

allow writing secrets to nested folders #125

Comments

tam7t commented Jun 30, 2021