Support rich JSON secrets

[stpierre]

A pattern I've found useful in the past is to store multiple data as JSON within a single secret. For instance, if an integration requires a username and password, store both:

% gcloud secrets versions access 1 --secret=my-rich-secret
{"username":"stpierre","password":"hunter2"}

This:

• Reduces storage and access costs (which are per-secret, not per-byte)
• Allows atomic changes to complex data
• Ensures that related data is stored together

Storing the username locally and only storing the password as a secret reduces cost, but it means that you can't guarantee that the username and password get changed atomically, and half of the credentials are stored in one place and the other half in another place. These concerns become heightened when working with integrations that require more than two credentials, or when using multiple independent sets of credentials for seamless password rotations.

To support this flow in berglas, currently (AIUI) you have to postprocess the environment variables that berglas populates, which isn't tenable with third-party container workloads. I would propose to add a path option to the sm:// reference syntax that accepts a JMESPath expression, so that in a ConfigMap you could do, for instance:

apiVersion: v1
kind: ConfigMap
metadata:
  name: my-cm
data:
  MY_USERNAME: "sm://my-proj-123456/my-rich-secret?path=username"
  MY_PASSWORD: "sm://my-proj-123456/my-rich-secret?path=password"

I'm happy to contribute the code for this feature, but wanted to first check to see if this feature would be accepted (or, better yet, if there's already a way to do this that I'm overlooking).