Selectively omit encryptedData keys when using templates #1870
Description
Which component:
controller
Is your feature request related to a problem? Please describe.
I would like to selectively omit encryptedData keys from the final secret when those keys are only needed as inputs to templates.
Describe the solution you'd like
Set the matching key to null in spec.template.data to indicate it should be omitted from the final secret.
Describe alternatives you've considered
- Adding an additional field to the spec with a list of keys to omit (or include?).
- Adding an all-or-nothing field to include or exclude the entirety of encryptedData in the final secret
Additional context
The motivating use case is a tool that expects a directory of configuration files, where some, but not all, of the fields in those files are sensitive. The tool in question will refuse to run if a file in that directory cannot be parsed.
The ideal case is to use a SealedSecret with templates to encrypt only the sensitive data, leave the rest of the configuration in plaintext, and mount the resulting secret as a directory in a pod. Currently, this results in the individual sensitive fields being interpreted as configuration files and being rejected. This feature would permit this use case by omitting each of the encrypted fields from the final secret.