{"id":13795622,"url":"https://github.com/mittwald/kubernetes-secret-generator","last_synced_at":"2025-05-16T10:05:41.719Z","repository":{"id":38751692,"uuid":"87906230","full_name":"mittwald/kubernetes-secret-generator","owner":"mittwald","description":"Kubernetes controller for automatically generating and updating secrets","archived":false,"fork":false,"pushed_at":"2025-03-03T15:02:34.000Z","size":11931,"stargazers_count":360,"open_issues_count":19,"forks_count":63,"subscribers_count":14,"default_branch":"master","last_synced_at":"2025-05-16T10:04:24.076Z","etag":null,"topics":["golang","kubernetes","kubernetes-controller","kubernetes-secrets"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mittwald.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-04-11T07:56:37.000Z","updated_at":"2025-05-03T14:14:39.000Z","dependencies_parsed_at":"2023-12-22T09:35:14.697Z","dependency_job_id":"9a2beff6-354f-4213-af5e-0a09096f70ff","html_url":"https://github.com/mittwald/kubernetes-secret-generator","commit_stats":null,"previous_names":[],"tags_count":18,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mittwald%2Fkubernetes-secret-generator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mittwald%2Fkubernetes-secret-generator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mittwald%2Fkubernetes-secret-generator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mittwald%2Fkubernetes-secret-generator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mittwald","download_url":"https://codeload.github.com/mittwald/kubernetes-secret-generator/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254509476,"owners_count":22082891,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["golang","kubernetes","kubernetes-controller","kubernetes-secrets"],"created_at":"2024-08-03T23:00:59.645Z","updated_at":"2025-05-16T10:05:41.698Z","avatar_url":"https://github.com/mittwald.png","language":"Go","funding_links":[],"categories":["Go","Kubernetes"],"sub_categories":[],"readme":"# Automatically generated secrets for Kubernetes\n\nThis repository contains a custom Kubernetes controller that can automatically create\nrandom secret values. This may be used for auto-generating random credentials for\napplications run on Kubernetes.\n\n## Security note\n\nOlder versions (\u003c= 1.0.0) of this controller used the `math/rand` package for generating secrets, which is deterministic and not cryptographically secure (see #1 for more information). If you're already running this controller and want to regenerate all potentially compromised secrets, start the controller with the `-regenerate-insecure` flag (note that you will need to manually re-create any Pods using these secrets, though). When using the `kubectl apply` command from below, the new flag will be added to your Deployment automatically.\n\n## License\n\nCopyright 2023 Mittwald CM Service GmbH \u0026 Co. KG and [contributors](https://github.com/mittwald/kubernetes-secret-generator/graphs/contributors)\n\nThis project is licensed under the [Apache License, Version 2.0](./LICENSE.txt).\n\n## Deployment\n\n### Helm\nThe controller can be deployed using [Helm](https://helm.sh).\n\nYou might want to take a look a the [values.yaml](deploy/helm-chart/kubernetes-secret-generator/values.yaml) to adjust the operator to your needs:\n\n- `secretLength` defines the length of the generated secret values.\n\n- `watchNamespace` defines, which namespaces should be watched for secret objects.\n\n- `useMetricsService` toggles whether the operator should provide a service for metrics monitoring by Prometheus. If this is set to true, the operator will start with additional permissions, namely `get` permissions for `replicasets` and `deployments` in the apiGroup `apps`, as well as `create` permissions for `services` and create the needed services during startup.\n\n  To watch a single namespace, set it to the desired namespace name.\nMultiple namespaces are supported and can be set as a comma-separated list: `ns1,ns2`.\n\n  If `watchNamespace` is set to the empty string value `\"\"`, all namespaces will be watched.\n\n- `rbac.create` controls if rbac resources are deployed.\n\n- `rbac.clusterRole` controls if secrets generator has permission to watch secrets in namespaces other than where it has been deployed.\n\n  `rbac.clusterRole=false \u0026 watchNamespace=\"\"` will result in `watchNamespace` being set to the current namespace as this is all the permissions will allow access to.\n\nAfterwards, deploy the operator using:\n\n1. Add the [Mittwald Charts Repo](https://github.com/mittwald/helm-charts/blob/master/README.md#usage):\n    ```shellsession\n    $ helm repo add mittwald https://helm.mittwald.de\n    \"mittwald\" has been added to your repositories\n\n    $ helm repo update\n    Hang tight while we grab the latest from your chart repositories...\n    ...Successfully got an update from the \"mittwald\" chart repository\n    Update Complete. ⎈ Happy Helming!⎈\n    ```\n\n2. Upgrade or install `kubernetes-secret-generator`:\n\n    ```shellsession\n    $ helm upgrade --install kubernetes-secret-generator mittwald/kubernetes-secret-generator\n    ```\n \n### Manually\n\nIf you don't want to use Helm (why wouldn't you?), the required .yaml files can also be applied manually using `kubectl apply`:\n\n```shellsession\n$ make install\n```\n\nTo uninstall, use:\n\n```shellsession\n$ make uninstall\n```\n\n## Usage\n\nThis operator is capable of generating secure random strings and ssh keypair secrets. \n\nIt supports two ways of secret generation, annotation-based and cr-based.\n\n### Annotation-based generation\n\nFor annotation based generation, the type of secret to be generated can be specified by the `secret-generator.v1.mittwald.de/type` annotation.\nThis annotation can be added to any Kubernetes secret object in the operators `watchNamespace`.\n\nThe encoding of the secret can be specified by the `secret-generator.v1.mittwald.de/encoding` annotation.\nAvailable encodings are `base64`, `base64url`, `base32`, `hex` and `raw`, with `raw` returning the unencoded byte sequence\nthat was generated. `base64` will be used, if the annotation was not used.\n\nThe length of the generated secret can be specified by the `secret-generator.v1.mittwald.de/length` annotation.\nBy default, this length refers to the length of the generated string, and not the length of the byte sequence encoded by it. \nThe suffix `B` or `b` can be used to indicate that the provided value should refer to the encoded byte sequence instead.\n\n### Secure Random Strings\n\nBy default, the operator will generate secure random strings. If the type annotation is not present, it will be added after the first\nreconciliation loop and its value will be set to `string`.\n\nTo actually generate random string secrets, the `secret-generator.v1.mittwald.de/autogenerate` annotation is required as well.\nThe value of the annotation can be a field name (or comma separated list of field names) within the secret;\nthe SecretGeneratorController will pick up this annotation and add a field [or fields] \n(`password` in the example below) to the secret with a randomly generated string value.\n\n```yaml\napiVersion: v1\nkind: Secret\nmetadata:\n  name: string-secret\n  annotations:\n    secret-generator.v1.mittwald.de/autogenerate: password\ndata:\n  username: c29tZXVzZXI=\n```\n\nafter reconciliation:\n\n```yaml\napiVersion: v1\nkind: Secret\nmetadata:\n  name: string-secret\n  annotations:\n    secret-generator.v1.mittwald.de/type: string\n    secret-generator.v1.mittwald.de/secure: \"yes\"\n    secret-generator.v1.mittwald.de/autogenerate: password\n    secret-generator.v1.mittwald.de/autogenerate-generated-at: \"2020-04-03T14:07:47+02:00\"\ntype: Opaque\ndata:\n  username: c29tZXVzZXI=\n  password: TWVwSU83L2huNXBralNTMHFwU3VKSkkwNmN4NmRpNTBBcVpuVDlLOQ==\n```\n\n### SSH Key Pairs\n\nTo generate SSH Key Pairs, the `secret-generator.v1.mittwald.de/type` annotation **has** to be present on the kubernetes secret object.\n\nThe operator will then add two keys to the secret object, `ssh-publickey` and `ssh-privatekey`, each containing the respective key.\n\nThe Private Key will be PEM encoded, the Public Key will have the authorized-keys format.\n\n```yaml\napiVersion: v1\nkind: Secret\nmetadata:\n  annotations:\n    secret-generator.v1.mittwald.de/type: ssh-keypair\ndata: {}\n```\n\nafter reconciliation:\n\n```yaml\napiVersion: v1\nkind: Secret\nmetadata:\n  annotations:\n    secret-generator.v1.mittwald.de/type: ssh-keypair\n    secret-generator.v1.mittwald.de/autogenerate-generated-at: \"2020-04-03T14:07:47+02:00\"\ntype: Opaque\ndata:\n  ssh-publickey: c3NoLXJzYSBBQUFBQ...\n  ssh-privatekey: LS0tLS1CRUdJTi...\n```\n\n### Ingress Basic Auth\n\nTo generate Ingress Basic Auth credentials, the `secret-generator.v1.mittwald.de/type` annotation **has** to be present on the kubernetes secret object.\n\nThe operator will then add three keys to the secret object.\nThe ingress will interpret the `auth` key as a htpasswd entry. This entry contains the username, and the hashed generated password for the user.\nThe operator also stores the username and cleartext password in the `username` and `password` keys.\n\nIf a username other than `admin` is desired, it can be specified using the `secret-generator.v1.mittwald.de/basic-auth-username` annotation.\n\n```yaml\napiVersion: v1\nkind: Secret\nmetadata:\n  annotations:\n    secret-generator.v1.mittwald.de/type: basic-auth\ndata: {}\n```\n\nafter reconciliation:\n\n```yaml\napiVersion: v1\nkind: Secret\nmetadata:\n  annotations:\n    secret-generator.v1.mittwald.de/type: basic-auth\n    secret-generator.v1.mittwald.de/autogenerate-generated-at: \"2020-04-03T14:07:47+02:00\"\ntype: Opaque\ndata:\n  username: admin\n  password: test123\n  auth: \"admin:PASSWORD_HASH\"\n```\n\n### CR-based generation\n\nThe operator supports three kinds of custom resources: `StringSecret`, `SSHKeyPair` and `BasicAuth`. These crs can be used to trigger creation, update and deletion of desired secrets.\nAll crs support the field `spec.type` which can be used to define the kubernetes type of the generated `Secret`, e.g. \"Opaque\"\n\n### Secure Random Strings via StringSecret-CR\n\nA `StringSecret` resource can be used to generate secure random strings similar to the ones offered by the annotation approach.\nDesired Fields to be randomly generated can be supplied via the `spec.fields` property, which can be used to specify a list of fields with individual encoding and length values, e.g. a hex-encoded string of length 15 and a base64-encoded string of length 40 can be defined in the same secret object. \nThe `spec.data` property can be used to specify arbitrary data entries the generated secret's `data` property should be populated with.\nFinally, the `spec.forceRegenerate` property can be used to control regeneration of secret fields.\n\nExample:\n\n```yaml\napiVersion: \"secretgenerator.mittwald.de/v1alpha1\"\nkind: \"StringSecret\"\nmetadata:\n  name: \"example-pw\"\n  namespace: \"default\"\nspec:\n  forceRegenerate: false\n  data:\n    username: \"testuser\"\n  fields:\n    - fieldName: \"test\"\n      encoding: \"hex\"\n      length: \"15\"\n```\n\nUpon creation of the cr, the controller will attempt to create a `Secret` resource matching the specifications. If successful, the new resource will have its owner set as the `StringSecret` used to create it, providing automated deletion/updating of the secret if the creating cr is deleted/updated. The `StringSecret` will store an object reference to the created `Secret` in its status field.\nDuring updating, any new fields in `spec.data` and `spec.fields` will be added, while existing fields will only be overwritten/regenerated if `spec.forceRegenerate` is set to `true`.\nIf the target `Secret` already exists and is not owned by a `StringSecret` resource, no changes will be made to ìt.\n\n### SSH Key Pair via SSHKeyPair-CR\n\nA `SSHKeyPair` resource can be used to generate an ssh key pair. It supports `spec.length`, `spec.data` and `spec.forceRegenerate` similar to `StringSecret` resources.\nThe field `spec.privateKey` can be used to specify a private key, which will be used during runtime to regenerate a matching public key.\nUpdating is handled similar to `StringSecret` resources, unowned `Secrets` are not modified, and existing fields are only updated if regeneration is forced. However, should the public key be missing, the operator will attempt to regenerate it.\n\n```yaml\napiVersion: \"secretgenerator.mittwald.de/v1alpha1\"\nkind: \"SSHKeyPair\"\nmetadata:\n  name: \"example-ssh\"\n  namespace: \"default\"\nspec:\n  length: \"40\"\n  forceRegenerate: false\n  data:\n    example: \"data\"\n```\n\n### Ingress Basic Auth via BasicAuth-CR\n\nA `BasicAuth` resource can be used to generate Ingress Basic Auth credentials. Supported properties are `spec.length`, `spec.encoding`, `spec.data` and `spec.forceRegenerate`.\nTo specify a username, use `spec.username`. If no username is provided, the operator will use `admin`.\nUpdates follow the same rules as for the other crs, existing `secrets` will only be updated if owned by a `BasicAuth` resource and if `spec.forceRegenerate` is set to true. The exception to this are new `spec.data` entries, which are added even if `forceRegenerate` is false, and cases where the `auth` field in the `Secret` is empty.\n\n```yaml\napiVersion: \"secretgenerator.mittwald.de/v1alpha1\"\nkind: \"BasicAuth\"\nmetadata:\n  name: \"example-auth\"\n  namespace: \"default\"\nspec:\n  length: \"40\"\n  username: \"testuser\"\n  encoding: \"base64\"\n  forceRegenerate: false\n  data:\n    example: \"data\"\n```\n\n## Operational tasks\n\n-   Regenerate all automatically generated secrets:\n    ```\n    $ kubectl annotate secrets --all secret-generator.v1.mittwald.de/regenerate=true\n    ```\n    \n-   Regenerate only certain fields, in case the secret is of the `password` type:\n    ```\n    $ kubectl annotate secrets --all secret-generator.v1.mittwald.de/regenerate=password1,password2\n    ```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmittwald%2Fkubernetes-secret-generator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmittwald%2Fkubernetes-secret-generator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmittwald%2Fkubernetes-secret-generator/lists"}