Giters

HighwayofLife / ClusterSecret

Kubernetes ClusterSecret operator.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ClusterSecret

Introduce Kubernetes ClusterSecret

Global inter-namespace cluster secrets - Secrets that work across namespaces

apiVersion: clustersecret.io/v1
metadata:
  name: default-wildcard-certifiate
matchNamespace:
  - prefix_ns-*
  - anothernamespace
avoidNamespaces:
  - supersecret-ns
data:
  tls.crt: BASE64
  tls.key: BASE64

ClusterSecret operator makes sure all the matching namespaces have the secret available. New namespaces, if they match the pattern, will also have the secret. Any change on the ClusterSecret will update all related secrets. Deleting the ClusterSecret deletes "child" secrets (all cloned secrets) too.

Use it for certificates, registry pulling credentials and so on.

Use case.

when you need a secret in more than one namespace. you need to get the secret from the origin namespace, edit the the secret with the new namespace and create the new one. This could be done with one command:

kubectl get secret <secret-name> -n <source-namespace> -o yaml \
| sed s/"namespace: <source-namespace>"/"namespace: <destination-namespace>"/\
| kubectl apply -n <destination-namespace> -f -

But if you want to automate the cloning of secrets into a set of namespaces (a regex pattern). ClusterSecret is the way to go.

installation

tl;dr

kubectl apply -f ./yaml

step by step

To instal ClusterSecret operator we need to create (in this order):

  • RBAC resources (avoid if you are not running RBAC) to allow the operator to create/update/patch secrets: yaml/00_
  • Custom resource definition for the ClusterSecret resource: yaml/01_crd.yaml
  • The ClusterSecret operator itself: yaml/02_deployment.yaml

quick start:

create a ClusterSecret object yaml like the one above, or in the example in yaml/Object_example/obj.yaml and apply it in your cluster kubectl apply -f yaml/Object_example/obj.yaml

The ClusterSecret operator will pick it up and will create the secret in every matching namespace: match matchNamespace but not matching avoidNamespaces RegExp's.

You can specify multiple matching or non-matching RegExp. By default it will match all, same as defining matchNamespace = *

Minimal example

apiVersion: clustersecret.io/v1
kind: ClusterSecret
metadata:
  name: global-secret
data:
  username: MTIzNDU2Cg==
  password: Nzg5MTAxMTIxMgo=

Debugging.

Overwirte deployment entrypoint (Kubernetes command) from kopf run /src/handlers.py to kopf run /src/handlers.py --verbose

NOTE: in debug mode object data (the secret) are sent to stdout, potentially logs are being collected by Loki / Elasticsearch or any log management platform -> Not for production!.

Roadmap:

  • implement source to specify a source secret to sync instead of data field. (zakkg3#3)
  • set type of secret (ie tls)
  • set annotations and labels

About

Kubernetes ClusterSecret operator.

Languages

Language:Python 83.9%Language:Makefile 13.6%Language:Dockerfile 2.5%