Container Runner Secrets

In our K8s environment we are already using the External Secrets Operator with other services to read secrets from a secure vault, and we were planning to do this with container runners as well. If I’m reading the docs correctly, though, it doesn’t look like this is possible. According to the docs the agent.customSecret field requires the secret value to be a key-value map. Is it possible to update the Helm chart to support the use case where the pre-existing, custom secret is just the singular value to use for that particular resource class? Instead of resourceClass.token this could possibly be resourceClass.tokenSecret.

Hi @jschwanz

Can you give more information about your setup? Where are your secrets stored, etc?

Based of the diagram here: Overview - External Secrets Operator it should work. Particularly the “…provides a “Bucket” of k/v pairs” from the diagram.

agent.customSecret should be the key of the external secret, and the secrets store bucket should have a entry where the key is the resource class name and the value is the resource class token

I may have misread/misunderstood the docs. When I get a opening I’ll need to go back and look at this again.