1

I have a secretsProviderClass resource defined for my Azure Kubernetes Service deployment, which allows me to create secrets from Azure Key Vault. I'd like to use Kustomize with it in order to unify my deployments across multiple environments. Here is my manifest:

apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: azure-kvname
spec:
  provider: azure
  secretObjects:
  - data:
    - key: dbuser
      objectName: db-user
    - key: dbpassword
      objectName: db-pass
    - key: admin
      objectName: admin-user
    - key: adminpass
      objectName: admin-password
    secretName: secret
    type: Opaque
  parameters:
    usePodIdentity: "true"
    keyvaultName: "dev-keyvault"
    cloudName: ""
    objects:  |
      array:
        - |
          objectName: db-user
          objectType: secret
          objectVersion: ""
        - |
          objectName: db-pass
          objectType: secret
          objectVersion: ""
        - |
          objectName: admin-user
          objectType: secret
          objectVersion: ""
        - |
          objectName: admin-password
          objectType: secret
          objectVersion: ""
    tenantId: "XXXXXXXXXXXX"

This is the manifest that I use as a base. I'd like to use overlay on this and apply values depending on the environment that I am deploying to. To be specific, I'd like to modify the objectName property. I tried applying the Json6902 patch:

- op: replace
  path: /spec/parameters/objects/array/0/objectName
  value: "dev-db-user"

- op: replace
  path: /spec/parameters/objects/array/1/objectName
  value: "dev-db-password"

- op: replace
  path: /spec/parameters/objects/array/2/objectName
  value: "dev-admin-user"

- op: replace
  path: /spec/parameters/objects/array/3/objectName
  value: "dev-admin-password"

Unfortunately, it's not working and it is not replacing the values. Is it possible with Kustomize?

Jonas
  • 121,568
  • 97
  • 310
  • 388
dywan666
  • 385
  • 8
  • 14

1 Answers1

3

Unfortunately - the value that you're trying to access is not another nested YAML array - the pipe symbol at the end of a line in YAML signifies that any indented text that follows should be interpreted as a multi-line scalar value

With kustomize you'd probably need to replace whole /spec/parameters/objects value

if you haven't started using kustomize for good yet, you may consider rather templating engine like Helm, which should allow you to replace value inside of this string

...or you can use a combination of Helm for templating and the Kustomize for resource management, patches for specific configuration, and overlays.

mehowthe
  • 761
  • 6
  • 14
  • Thanks, I've started out with Kustomize as I didn't think that I would need a keyvault integration. With that in mind, it sure looks like Helm would be the way to go for me, I hoped that maybe a simpler thing like Kustomize would suffice but I can't run from Helm. Thank you for confirming my doubts! – dywan666 Aug 31 '21 at 12:35