github.com/h0n9/cloud-secrets-manager

Release v0.0.11

A tool to inject cloud-based secrets into Kubernetes pods

Homepage Go Go Documentation

Keywords
aws, cloud, devops, gcp, injector, kubernetes, secrets
Install
go get github.com/h0n9/cloud-secrets-manager

Documentation

Cloud Secrets Manager 🌤🔐🐳

This simple yet powerful tool Cloud Secrets Manager aims to simplify the way to inject secrets strored on Cloud-based secrets managers into Kubernetes Pods, functioning as HashiCorp Vault's Agent Sidecar Injector.

Cloud Providers

Currently Supported

TO-BE Supported

Concept

Constitution

  • cloud-secrets-controller
  • cloud-secrets-injector

Step-by-step

  1. cloud-secrets-controller watches incoming /mutate, /validate webhooks from Kubernetes API server.
  2. When pods are created or updated in a namespace labeled with cloud-secrets-injector: true, Kubernetes API server sends requests to cloud-secrets-controller webhook server.
  3. cloud-secrets-controller mutates the pod's manifests by injecting an init container cloud-secrets-injector into the pod and mounting a temporary directory as a volume on the init and origin containers.
  4. When it comes to initializing the pods, the init container cloud-secrets-injector requests secret values, with a secret key id, from secret providers and stores them in the temporary directory.
  5. Once cloud-secrets-injector has successfully completed its role, the origin container starts running as defined on the manifest.

Installation

Prerequisites

  • Kubernetes Cluster
  • kubectl
  • helm

Using Helm chart

kubectl create namespaces cloud-secrets-manager
helm repo add h0n9 https://h0n9.github.io/helm-charts
helm upgrade --install -n cloud-secrets-manager cloud-secrets-manager h0n9/cloud-secrets-manager

You can check out the official Helm chart repository h0n9/helm-charts.

By pressing the ⭐️ Star button above, be the first to get notified of launch of other new charts.

Usage

Annotations

The following annotatins are required to inject cloud-secrets-injector into pods:

Key Required
cloud-secrets-manager.h0n9.postie.chat/provider true
cloud-secrets-manager.h0n9.postie.chat/secret-id true
cloud-secrets-manager.h0n9.postie.chat/template true
cloud-secrets-manager.h0n9.postie.chat/output true
cloud-secrets-manager.h0n9.postie.chat/injected false

Please refer the following example:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: busybox
  namespace: testbed
spec:
  selector:
    matchLabels:
      app: busybox
  template:
    metadata:
      labels:
        app: busybox
      annotations:
        cloud-secrets-manager.h0n9.postie.chat/provider: aws
        cloud-secrets-manager.h0n9.postie.chat/secret-id: dev/test
        cloud-secrets-manager.h0n9.postie.chat/template: |
          {{ range $k, $v := . }}export {{ $k }}={{ $v }}
          {{ end }}
        cloud-secrets-manager.h0n9.postie.chat/output: /secrets/env
    spec:
      containers:
      - name: busybox
        image: busybox:1.34.1
        command:
          - /bin/sh
          - -c
          - cat /secrets/env && sleep 3600

Environment variables

AWS

Name Default Required
AWS_ACCESS_KEY_ID false
AWS_SECRET_ACCESS_KEY false

Please don't forget to pass credentials, referring to Specifying Credentials page.

Stats

Dependencies
76
Dependent packages
0
Dependent repositories
0
Total releases
9
Latest release
First release
Stars
6
Forks
0
Watchers
1
Contributors
1
Repository size
206 KB
SourceRank
6

Releases

v0.0.11
v0.0.10
v0.0.9
v0.0.8
v0.0.7
v0.0.6
v0.0.5
v0.0.4
v0.0.3

Contributors

Jaehong Ahn


See all contributors

Login to resync this project