|
1 | | -# kubernetes-external-secrets |
| 1 | +[](https://godaddy-oss-slack.herokuapp.com/) |
2 | 2 |
|
3 | | -💂 Kubernetes external secrets |
| 3 | +# 💂 kubernetes external secrets |
| 4 | + |
| 5 | +Kubernetes external secrets allow you to use external providers (e.g, [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/)) to securely add secrets in Kubernetes. |
| 6 | + |
| 7 | +## How it works |
| 8 | + |
| 9 | +The project extends the Kubernetes API by adding a `ExternalSecrets` object using [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) and a controller to implement the behavior of the object itself. |
| 10 | + |
| 11 | +An `ExternalSecret` declares how to fetch the secret data, while the controller converts all `ExternalSecrets` to `Secrets`. |
| 12 | +The conversion is completely transparent to `Pods` that can access `Secrets` normally. |
| 13 | + |
| 14 | +## System architecture |
| 15 | + |
| 16 | + |
| 17 | + |
| 18 | +1. `ExternalSecrets` are added in the cluster (e.g., `kubectly apply -f external-secret-example.yml`) |
| 19 | +1. Controller fetches `ExternalSecrets` using the Kubernetes API |
| 20 | +1. Controller uses `ExternalSecrets` to fetch secret data from external providers (e.g, AWS Secrets Manager) |
| 21 | +1. Controller upsert `Secrets` |
| 22 | +1. `Pods` can access `Secrets` normally |
| 23 | + |
| 24 | +## How to use it |
| 25 | + |
| 26 | +### Install |
| 27 | + |
| 28 | +To create the necessary resource and install the controller run: |
| 29 | + |
| 30 | +```sh |
| 31 | +kubectl apply -f https://raw.githubusercontent.com/godaddy/kubernetes-external-secrets/master/external-secrets.yml |
| 32 | +``` |
| 33 | + |
| 34 | +This create all the necessary resources and a `Deployment` in the `kubernetes-external-secrets` namespace. |
| 35 | + |
| 36 | +### Add a secret |
| 37 | + |
| 38 | +Add secret data in your external provider (e.g., `hello-service/password=1234` in AWS Secrets Manager), then create a `hello-service-external-secret.yml` file: |
| 39 | + |
| 40 | +```yml |
| 41 | +apiVersion: 'kubernetes-client.io/v1' |
| 42 | +kind: ExtrenalSecret |
| 43 | +metadata: |
| 44 | + name: hello-service |
| 45 | +secretDescriptor: |
| 46 | + backendType: secretManager |
| 47 | + properties: |
| 48 | + - key: hello-service/password |
| 49 | + name: password |
| 50 | +``` |
| 51 | +
|
| 52 | +Save the file and run: |
| 53 | +
|
| 54 | +```sh |
| 55 | +kubectl apply -f hello-service-external-secret.yml |
| 56 | +``` |
| 57 | + |
| 58 | +Wait few minutes and verify that the associated `Secret` has been created: |
| 59 | + |
| 60 | +```sh |
| 61 | +kubectl get secret hello-service -o=yaml |
| 62 | +``` |
| 63 | + |
| 64 | +The `Secret` created by the controller should look like: |
| 65 | + |
| 66 | +```yml |
| 67 | +apiVersion: v1 |
| 68 | +kind: Secret |
| 69 | +metadata: |
| 70 | + name: hello-service |
| 71 | +type: Opaque |
| 72 | +data: |
| 73 | + password: MTIzNA== |
| 74 | +``` |
| 75 | +
|
| 76 | +Currently we only support AWS Secrets Manager external provider. |
| 77 | +
|
| 78 | +## Development |
| 79 | +
|
| 80 | +[Minikube](https://kubernetes.io/docs/tasks/tools/install-minikube/) is a tool that makes it easy to run a Kubernetes cluster locally. |
| 81 | +
|
| 82 | +Start minikube and the daemon. This creates the `CustomerResourceDefinition`, and starts to process `ExternalSecrets`: |
| 83 | + |
| 84 | +```sh |
| 85 | +minikube start |
| 86 | +
|
| 87 | +npm run nodemon |
| 88 | +``` |
0 commit comments