{"id":23286713,"url":"https://github.com/deviceinsight/k8s-secret-provisioner","last_synced_at":"2026-02-25T02:32:04.555Z","repository":{"id":66029505,"uuid":"278066835","full_name":"deviceinsight/k8s-secret-provisioner","owner":"deviceinsight","description":null,"archived":false,"fork":false,"pushed_at":"2025-03-24T11:52:33.000Z","size":67,"stargazers_count":1,"open_issues_count":1,"forks_count":1,"subscribers_count":20,"default_branch":"develop","last_synced_at":"2025-08-03T08:41:54.630Z","etag":null,"topics":["helm-chart","k8s","secret-management"],"latest_commit_sha":null,"homepage":"https://deviceinsight.github.io/k8s-secret-provisioner/","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/deviceinsight.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-07-08T11:07:04.000Z","updated_at":"2020-09-01T07:45:02.000Z","dependencies_parsed_at":"2025-08-03T08:30:32.579Z","dependency_job_id":"2253b887-48b5-4582-972e-da2d522a6106","html_url":"https://github.com/deviceinsight/k8s-secret-provisioner","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/deviceinsight/k8s-secret-provisioner","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/deviceinsight%2Fk8s-secret-provisioner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/deviceinsight%2Fk8s-secret-provisioner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/deviceinsight%2Fk8s-secret-provisioner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/deviceinsight%2Fk8s-secret-provisioner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/deviceinsight","download_url":"https://codeload.github.com/deviceinsight/k8s-secret-provisioner/tar.gz/refs/heads/develop","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/deviceinsight%2Fk8s-secret-provisioner/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29809086,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-24T22:43:48.403Z","status":"online","status_checked_at":"2026-02-25T02:00:07.329Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["helm-chart","k8s","secret-management"],"created_at":"2024-12-20T02:14:09.399Z","updated_at":"2026-02-25T02:32:04.532Z","avatar_url":"https://github.com/deviceinsight.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# k8s-secret-provisioner\n\nSmall application ensuring configured secret data is present in the kubernetes cluster.\nIt will only:\n\n* create non existing secrets\n* add non existing secret keys\n\nMotivation is to use this application together with helm generated random keys, without always modifying already present secrets.\nThis will allow rolling upgrades, since present applications do not need to refresh their secrets.\n\nThe k8s-secret-provisioner also comes with a helm chart, providing a job to be executed as a [helm hook](https://github.com/kubernetes/helm/blob/master/docs/charts_hooks.md).\n\nThe format of the secret values (base64 encoding, private keys, ...) is transparent for the application.\nIt is handled by the helm chart, which provides explicit support for passwords and private keys, using [sprig functions](http://masterminds.github.io/sprig/).\n\n## Using the k8s-secret-provisioner\n\nThe following example demonstrates the use for a service `myservice` that needs a system account at a different service.\n\nThe Helm release name of this example is `demo`.\n\nThe helm chart of the service contains the following `values.yaml`:\n\n\n```yaml\notherService:\n  serviceName: other-service\n  servicePort: 8080\n  systemUser:\n    user: _myservice_user\n    secretName: myservice\n    secretKey: other-service-password\n    system: true\n    authorities:\n      - READ_ASSET\n      - CREATE_ASSET\n      - READ_ASSET_GROUP\n      - READ_ASSET_GROUP_DEFINITION\n```\n\nThese values are used in the `deployment.yaml` to create a deployment descriptor that takes the\nusername and password for the `myservice` to connect to the other service:\n\n```yaml\nkind: Deployment\nspec:\n  template:\n    spec:\n      containers:\n        - name: {{ .Chart.Name }}\n          env:\n            - name: OTHER_SERVICE_URL\n              value: http://{{ .Values.otherService.serviceName }}:{{ .Values.otherService.servicePort }}\n            - name: OTHER_SERVICE_USERNAME\n              value: {{ .Values.otherService.systemUser.user }}\n            - name: OTHER_SERVICE_PASSWORD\n              valueFrom:\n                secretKeyRef:\n                  name: {{ list .Release.Name .Values.otherService.systemUser.secretName  | join \"-\" }}\n                  key: {{ .Values.otherService.systemUser.secretKey }}\n```\n\nNow, the `myservice` uses the K8s secret `demo-myservice` that contains the password in the key `other-service-password`.\n\nThe next step is to configure the k8s-secret-provisioner to automatically create the secret and to configure\nthe other service to provide the system user `_myservice_user` with that password.\n\nThis can be achieved by telling Helm to copy the values to configuration of the k8-secret-provisioner\nand the other service. This is done in the `requirements.yaml` of the Chart that includes all services:\n\n```yaml\ndependencies:\n  - name: myservice\n    version: ${myservice.version}\n    repository: ${myservice.repository}\n    condition: global.myservice.enabled\n    import-values:\n      - child: otherService.systemUser\n        parent: other.other-service.systemUsers.myservice\n      - child: otherService.systemUser\n        parent: other.k8s-secret-provisioner.passwords.myservice\n  - name: other\n    version: ${other.version}\n    repository: ${other.repository}\n```\n\n### Used variables\n\nThe following table shows which values of the configuration are used in the k8s-secret-provisioner\nand in the other service:\n\n| variable | Used in k8s-secret-provisioner | Used in the other service |\n| --- | :---: | :---: |\n| user | | X |\n| secretName | X | X |\n| secretKey | X | X |\n| prefixRelease | X | X |\n| system | | X |\n| authorities | | X |\n\n## Releasing\n\nCreating a new release involves the following steps:\n\n* `mvn gitflow:release-start`\n* Update `CHANGELOG.md`\n* `mvn gitflow:release-finish`\n* `git push origin master`\n* `git push --tags`\n* `git push origin develop`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdeviceinsight%2Fk8s-secret-provisioner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdeviceinsight%2Fk8s-secret-provisioner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdeviceinsight%2Fk8s-secret-provisioner/lists"}