Maintenance of Kubernetes External Secrets

[Flydiverny]

There's now a slack #external-secrets in the kubernetes slack workspace!

---

KES usage is slowly growing larger and large and with the growing list of contributed backends the list of challenges also increase. With more and more backends which require more and more various services for validation and testing which we currently don't have at our disposal.

I'd say we are also currently somewhat lacking on the maintainer side. I for one don't have that much time to put in, but try to pitch in some time every now and then. Maintainers from godaddy seems to go up and down, while not that much lately.

We discussed a little if there are better ways to maintain the project, for example can we refactor the architecture to allow backends to be provided in a more plug- and play fashion by the consumer?
One example of this would be running the KES operator with just the core mechanics (ie reading ExternalSecrets and calling the right backend) and having backend implementations provided by other containers, perhaps run as sidecars providing an API to fetch secret data for a given key or separate deployments. This way backends could be maintained or provided by other people than the KES core.

Challenges:

• Multiple cloud services
• Multiple backends to maintain and test
• Few maintainers ?

I'd like to hear if there's any smart suggestions out there 🙃

[Flydiverny]

This is something I wrote a while back but didn't get to post before.
Guess one can add that there's some features people would like to see as well but we don't really have anyone actively working on resolving those requests or needs.

There's been some suggestions to build community which might help regarding maintenance like trying to start a slack community (#388) or so.

Ping @silasbw @JacopoDaeli @keweilu @jeffpearce

[dirtycajunrice]

@Flydiverny there are a few of us who would love to rewrite this in golang so that all 3 points of the triangle use the same language.

[Flydiverny]

@dirtycajunrice A Go rewrite could definitely be interesting, and probably valuable to get more contributions from kubernetes community in general.

I did a test converting it to typescript (in a fork flydiverny-stuff#1) to allow for some better code standard. (minimal effort conversion from js).
I know @silasbw would also be interested in seeing it in either TS or Go.

Personally I'm a Go newbie so not sure how much help I could be in that work 😄 But I'm up for learning

[dirtycajunrice]

@Flydiverny My coworker has solo started on it out of interest of a few things and it is living here https://github.com/itscontained/secret-manager
For the sake of quick iteration, approval flow, etc it now lives in the itscontained org. We would love collaboration! Some of the huge benefits of golang base is the features we get talking to the kube api. I am extremely exicted that you are interested in this and have passed that knowledge along. I will join the slack above if you are in it so we can chat further and not bog up this issue :D

[moolen]

@dirtycajunrice we're trying to standardize the CRD spec in #47 (comment) - please take a look if you have time, maybe you have some input on it.
I looked at itscontained/secret-manager, this looks like a good foundation to create a proof of concept with a new CRD spec. Do you have any plans or requirements in regard to supporting the current api spec long-term? Is the itscontained org related to any business?

[dirtycajunrice]

@moolen Replied there :)

[github-actions]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[github-actions]

This issue was closed because it has been stalled for 30 days with no activity.