{"id":16777039,"url":"https://github.com/rueian/kinko","last_synced_at":"2025-03-22T00:31:01.581Z","repository":{"id":46019396,"uuid":"278994305","full_name":"rueian/kinko","owner":"rueian","description":"A Kubernetes controller and tool for sealing/unsealing Secrets with the help of KMS providers.","archived":false,"fork":false,"pushed_at":"2024-04-19T12:47:29.000Z","size":36259,"stargazers_count":12,"open_issues_count":0,"forks_count":4,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-18T06:22:55.839Z","etag":null,"topics":["encrypt-secrets","gitops","kubernetes","kubernetes-operators","kubernetes-secrets"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rueian.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-07-12T04:58:30.000Z","updated_at":"2024-04-23T09:35:42.000Z","dependencies_parsed_at":"2024-06-20T15:41:34.579Z","dependency_job_id":"3db64fcd-fb5e-4725-805f-8a6d622a5cee","html_url":"https://github.com/rueian/kinko","commit_stats":null,"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rueian%2Fkinko","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rueian%2Fkinko/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rueian%2Fkinko/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rueian%2Fkinko/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rueian","download_url":"https://codeload.github.com/rueian/kinko/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244890102,"owners_count":20527030,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["encrypt-secrets","gitops","kubernetes","kubernetes-operators","kubernetes-secrets"],"created_at":"2024-10-13T07:11:43.366Z","updated_at":"2025-03-22T00:31:01.305Z","avatar_url":"https://github.com/rueian.png","language":"Go","readme":"# Kinko for kubernetes\n\nKinko is a Kubernetes CRD controller that does the same thing as the [bitnami-labs/sealed-secrets](https://github.com/bitnami-labs/sealed-secrets),\nbut kinko is much easier to maintain with the help of the external KMS provider.\n\n# Comparison to the bitnami-labs/sealed-secrets\nThe Same:\n* `kinko` CLI to create sealed CRDs that can be saved into a VCS.\n* `kinko` CRD controller that unseals the sealed CRDs into normal k8s secrets.\n\nThe Different, Why kinko is easier to maintain:\n* There is no RSA key pair maintained by `kinko`. Instead, the Data Encryption Key (DEK) is encrypted by the external KMS provider. \n* The `kinko` CRD controller should have the decryption permission on the external KMS provider to decrypt the DEK.\n* Anyone having the decryption permission can decrypt the DEK as well. It is not forced that the CRD controller be the only one who can unseal the secret.\n* Currently, only support Google Cloud KMS.\n\n# Permission Advisory\nFor GKE users:\n* The `kinko-controller-manager` should get the `cloudkms.cryptoKeyVersions.useToDecrypt` role permission through the `Workload Identity`.\n* Only grant `cloudkms.cryptoKeyVersions.useToDecrypt`, `container.secrets.get` and `container.pods.exec` permissions to privileged GCP users.","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frueian%2Fkinko","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frueian%2Fkinko","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frueian%2Fkinko/lists"}