Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot specify secretObjects of SecretProviderClass that reference ASM values of integer type #250

Open
jfmeachum opened this issue Jul 14, 2023 · 4 comments
Open

Cannot specify secretObjects of SecretProviderClass that reference ASM values of integer type #250

jfmeachum opened this issue Jul 14, 2023 · 4 comments
Labels
enhancement New feature or request

Comments

@jfmeachum
Copy link

jfmeachum commented Jul 14, 2023
edited
Loading

Describe the bug
A SecretProviderClass specifying a secretObject that references an integer value stored in an ASM Secret fails to create a K8s Secret.

To Reproduce

Steps to reproduce the behavior:

Given an ASM Secret will-fail with the following structure:

{
    "fails": 123
}

And a SecretProviderClass resource declaration:

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: does-not-work
  namespace: example
spec:
  parameters:
    objects: |-
      - objectName: will-fail
        objectType: secretsmanager
        jmesPath:
        - path: fails
          objectAlias: fails
  provider: aws
  secretObjects:
  - data:
    - key: fails
      objectName: fails
    secretName: will-fail
    type: Opaque

Workloads that depend on the above will fail with the following error:

Failure getting secret values from provider type secretsmanager: Failed to fetch secret from all regions: will-fail

The inclusion of a jmesPath reference within .spec.parameters.objects causes this issue. The provider will succeed if the explicit reference to a key of an integer value is removed.

Expected behavior

Workload containers start and are able to consume the K8s Secret as well as access the CSI driver-managed volume data.
@jfmeachum jfmeachum added the bug Something isn't working label Jul 14, 2023
@jbct
Copy link

jbct commented Jul 17, 2023

Hi jfmeachum. This was an intentional design decision, but we will flag this as an enhancement request.

@jbct jbct added enhancement New feature or request and removed bug Something isn't working labels Jul 17, 2023
@ajthyng
Copy link

ajthyng commented Sep 13, 2023

@jbct Can you provide details on the basis for this intentional design decision? It feels very counter-intuitive.

@jbct
Copy link

jbct commented Oct 30, 2023

Hi @ajthyng. The upstream Secret Store CSI Driver requires this to be returned as a byte array. Since there are numerous native JSON object types, some of which require binary encoding/correct native ordering, we made the intentional decision to restrict this to string values at this time. We recognize that this may not work for all customers and have noted this enhancement.

@Doc94
Copy link

Doc94 commented Dec 1, 2023

Hi i has the same issue but my question is... the warning/error cannot be more detailed? i need to change the version to a OLD for know this was the error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Doc94 @jbct @ajthyng @jfmeachum