Description
Is your feature request related to a problem? Please describe.
In argocd-vault-plugin, I was able to reference multiple Vault secret paths inline to populate a single Kubernetes Secret. For example:
stringData:
db-user: <path:apps/data/infrastructure/oracle/db1/schema1#db-user>
db-password: <path:apps/data/infrastructure/oracle/db1/schema1#db-password>
token: <path:apps/data/applications/app1#token>
Now that I’m migrating to Vault Secrets Operator, each VaultStaticSecret only maps to a single Vault path, which creates a separate Kubernetes Secret. I’d like to aggregate multiple Vault paths into one logical Kubernetes Secret for downstream applications that expect a unified secret.
Describe the solution you'd like
I'd like support for referencing multiple Vault paths in a single VaultStaticSecret, or a native way to merge multiple secrets into a single Kubernetes Secret. Ideally, this would look something like:
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: aggregated-secret
spec:
paths:
- mount: apps
path: infrastructure/oracle/db1/schema1
- mount: apps
path: applications/app1
destination:
name: combined-secret
create: true
overwrite: true
This would allow multiple key-value pairs from different Vault KV paths to be combined into a single Kubernetes Secret, enabling more flexible composition with only the specific values required by the application or service.
It also promotes better management of secrets by reducing duplication in Vault and encouraging the grouping of related values into a single HashiCorp Vault secret.