Extract JSON key-value pairs from secrets

[vitordeap]

TL;DR

Some secrets are stored with multiple properties (JSON structure, e.g. {"user":"user","password":"password"}. This feature would bring the ability of mounting secrets and extract the properties individually.

Design

Proposal
The existing structure for a secret object could have another property (array), such as extractKey. The file would be saved only with the value of the extracted key (e.g. only the password value). This would be an initial version just to enable this feature, in the future this can be improved by using multiple keys and maybe manipulating the JSON.

Example:

spec:
  provider: gcp
  parameters:
    secrets: |
      - resourceName: projects/<project_id>/secrets/<secret_name>/versions/<version>
         path: <filepath>
         extractKey: <my_json_key_to_be_extracted>
        

Alternatives considered
Today, we solve this by running bash scripts in the pods where the files were mounted, not a very nice design.

Resources
Other providers have this implementation, examples below:
AWS, check for the jmesPath field description.
Hashicorp Vault, check for the secretKey field description

Additional information
This will empower the provider to be used alongside other technologies, since the secrets can be used directly with config files easily. We intend to use this feature with prometheus, grafana, rabbitmq, etc.

[pragativ-splunk]

Any traction on a solution for this issue? We are trying to use something similar but unable to parse json credentials through csi

[RuiSMagalhaes]

no news @vitordeap ?

[dkirrane]

Looking for the same.
Related JIRA:

• Add TransformOptions Configuration Block to SecretProviderClass kubernetes-sigs/secrets-store-csi-driver#963
• Support for extracting JSON paths from a secret Azure/secrets-store-csi-driver-provider-azure#885