Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sprig support in templates #1193

Open
n9 opened this issue Apr 19, 2023 · 2 comments
Open

Sprig support in templates #1193

n9 opened this issue Apr 19, 2023 · 2 comments
Labels
help wanted Feature requests approved by maintainers that are not included in the project roadmap

Comments

@n9
Copy link

n9 commented Apr 19, 2023

Which component:
Controller.

Is your feature request related to a problem? Please describe.
Derive password hash (bcrypt) from password (e.g. for htpasswd).

Describe the solution you'd like
Add sprig functions to templates.

Describe alternatives you've considered
I do not know any alternatives in sealed-secrets. An alternative could be to use external-secrets (https://github.com/external-secrets/external-secrets/blob/d605a5b450abb8072090ef115396f8b618aec2ec/pkg/template/v2/template.go#L138).

Additional context
No.
@n9 n9 added the triage Issues/PRs that need to be reviewed label Apr 19, 2023
@josvazg
Copy link
Collaborator

josvazg commented Apr 24, 2023
edited

Hi @n9!
Thanks a lot for your issue. We would like to understand better what use cases this sprig support will cover.

Sealed Secrets was initially conceived to safely store passwords or keys as part of your regular gitops flow.

The repo for a project setup or its deployment setup refers to the secrets to be used to get access to some resource, in a way that such secret is only legible by the intended Kubernetes cluster to enjoy access to the resource the secret protects.

Key derivation and hashing functions are usually intended on the other side of the access equation: Verification.

You store a derivation of the actual secret that the user or agent must posses to get access. That way, if your authentication database is leaked, the actual secrets are not leaked with it. Attackers will still need to brute force the derivation algorithm to get possible password candidates that produce the derivation result hash.

So again. Given that Sealed Secrets is designed to store and distribute keys to get access rather than verify access.

What would be the use cases of key derivation on this context?

@n9
Copy link
Author

n9 commented Apr 24, 2023

@josvazg For instance, harbor is composed from multiple components. The UC is following:

  • core component needs a user name and password for a registry (another component)
  • registry needs to the same in the htpasswd format (the user name + hash of the password)

You may want to have one place where the password is stored and just derive the htpasswd from it. And not to have two places where the password (e.g. in SS) and the hash of the same password (e.g. in CM) is stored.

Disclaimer: I have switched to the external secrets for this case, I do not need this feature.

@agarcia-oss agarcia-oss added help wanted Feature requests approved by maintainers that are not included in the project roadmap backlog Issues/PRs that will be included in the project roadmap and removed triage Issues/PRs that need to be reviewed backlog Issues/PRs that will be included in the project roadmap labels May 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Feature requests approved by maintainers that are not included in the project roadmap
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@josvazg @agarcia-oss @n9