-
Notifications
You must be signed in to change notification settings - Fork 663
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sprig support in templates #1193
Comments
Hi @n9! Sealed Secrets was initially conceived to safely store passwords or keys as part of your regular gitops flow. The repo for a project setup or its deployment setup refers to the secrets to be used to get access to some resource, in a way that such secret is only legible by the intended Kubernetes cluster to enjoy access to the resource the secret protects. Key derivation and hashing functions are usually intended on the other side of the access equation: Verification. You store a derivation of the actual secret that the user or agent must posses to get access. That way, if your authentication database is leaked, the actual secrets are not leaked with it. Attackers will still need to brute force the derivation algorithm to get possible password candidates that produce the derivation result hash. So again. Given that Sealed Secrets is designed to store and distribute keys to get access rather than verify access. What would be the use cases of key derivation on this context? |
@josvazg For instance, harbor is composed from multiple components. The UC is following:
You may want to have one place where the password is stored and just derive the htpasswd from it. And not to have two places where the password (e.g. in SS) and the hash of the same password (e.g. in CM) is stored. Disclaimer: I have switched to the external secrets for this case, I do not need this feature. |
This fixes bitnami-labs#1534 and bitnami-labs#1193. Signed-off-by: Jeremy Fleischman <[email protected]>
This fixes bitnami-labs#1534 and bitnami-labs#1193. Signed-off-by: Jeremy Fleischman <[email protected]>
This fixes bitnami-labs#1534 and bitnami-labs#1193. Signed-off-by: Jeremy Fleischman <[email protected]>
This fixes bitnami-labs#1534 and bitnami-labs#1193. Signed-off-by: Jeremy Fleischman <[email protected]>
Which component:
Controller.
Is your feature request related to a problem? Please describe.
Derive password hash (bcrypt) from password (e.g. for htpasswd).
Describe the solution you'd like
Add sprig functions to templates.
Describe alternatives you've considered
I do not know any alternatives in sealed-secrets. An alternative could be to use external-secrets (https://github.com/external-secrets/external-secrets/blob/d605a5b450abb8072090ef115396f8b618aec2ec/pkg/template/v2/template.go#L138).
Additional context
No.
The text was updated successfully, but these errors were encountered: