GitHub - godaddy/kubernetes-external-secrets: ? Kubernetes External Secrets
source link: https://github.com/godaddy/kubernetes-external-secrets
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
README.md
? Kubernetes External Secrets
Kubernetes External Secrets allows you to use external secret management systems (e.g., AWS Secrets Manager) to securely add secrets in Kubernetes. Read more about the design and motivation for Kubernetes External Secrets on the GoDaddy Engineering Blog.
How it works
The project extends the Kubernetes API by adding a ExternalSecrets
object using Custom Resource Definition and a controller to implement the behavior of the object itself.
An ExternalSecret
declares how to fetch the secret data, while the controller converts all ExternalSecrets
to Secrets
.
The conversion is completely transparent to Pods
that can access Secrets
normally.
System architecture
ExternalSecrets
are added in the cluster (e.g.,kubectly apply -f external-secret-example.yml
)- Controller fetches
ExternalSecrets
using the Kubernetes API - Controller uses
ExternalSecrets
to fetch secret data from external providers (e.g, AWS Secrets Manager) - Controller upsert
Secrets
Pods
can accessSecrets
normally
How to use it
Install
To create the necessary resource and install the controller run:
kubectl apply -f https://raw.githubusercontent.com/godaddy/kubernetes-external-secrets/master/external-secrets.yml
This creates all the necessary resources and a Deployment
in the kubernetes-external-secrets
namespace.
Add a secret
Add your secret data to your backend. For example, AWS Secrets Manager:
aws secretsmanager create-secret --name hello-service/password --secret-string "1234"
and then create a hello-service-external-secret.yml
file:
apiVersion: 'kubernetes-client.io/v1' kind: ExternalSecret metadata: name: hello-service secretDescriptor: backendType: secretsManager data: - key: hello-service/password name: password
Save the file and run:
kubectl apply -f hello-service-external-secret.yml
Wait a few minutes and verify that the associated Secret
has been created:
kubectl get secret hello-service -o=yaml
The Secret
created by the controller should look like:
apiVersion: v1 kind: Secret metadata: name: hello-service type: Opaque data: password: MTIzNA==
Backends
kubernetes-external-secrets supports only AWS Secrets Manager.
AWS Secrets Manager
kubernetes-external-secrets supports both JSON objects ("Secret key/value" in the AWS console) or strings ("Plaintext" in the AWS console). Using JSON objects is useful when you need to atomically update multiple values. For example, when rotating a client certificate and private key.
When writing an ExternalSecret for a JSON object you must specify the properties to use. For example, if we add our hello-service credentials as a single JSON object:
aws secretsmanager create-secret --region us-west-2 --name hello-service/credentials --secret-string '{"username":"admin","password":"1234"}'
We can declare which properties we want from hello-service/credentials:
apiVersion: 'kubernetes-client.io/v1' kind: ExternalSecret metadata: name: hello-service secretDescriptor: backendType: secretsManager data: - key: hello-service/credentials name: password property: password - key: hello-service/credentials name: username property: username
Development
Minikube is a tool that makes it easy to run a Kubernetes cluster locally.
Start minikube and the daemon. This creates the CustomerResourceDefinition
, and starts to process ExternalSecrets
:
minikube start npm run nodemon
Recommend
-
325
GoDaddy is suing unknown creator of fake GoDaddy app. A fake GoDaddy app was available in the Google Play store earlier this month and GoDaddy believes that thousands of people downloaded the app. The app, called GoDaddy Mobile, was available in...
-
70
GoDaddy 以 1.25 亿美元价格收购社交媒体营销平台 Main Street Hub
-
54
程序员 - @xiaxiaokang - 首先我说下 GoDaddy 的套路:- 1.你看中一个域名选择预购买- 2.然后漫长的等待过程- 3.过一会你会发现你的域名被注册,而你 godady 预购显示,你还在[注册正在进行中]
-
36
程序员 - @jasonMakarov - 居然把其他家的 SMTP 封禁了,,,然后 自己的邮箱一年 400,,,,然而我居然买了三年的高配服务器,,,大家以后就别上当了
-
45
学员背景 B. Tan CMU CS Offer捷报...
-
34
-
29
Teams at GoDaddy use the AWS managed Kubernetes offering, EKS , to deploy their services. We also use AWS Secrets Manager fo...
-
15
-
5
Repository moved to external-secrets This project was moved from the GoDaddy to the external-secrets GitHub organi...
-
4
使用 External Secrets Operator 安全管理 Kubernetes Secrets-51CTO.COM 使用 External Secrets Operator 安全管理 Kubernetes Secrets 作者:祝祥 翻译 2022-08-04 08:00:54 在本...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK