Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/cloudflare/lockbox
Offline encryption of Kubernetes Secrets
https://github.com/cloudflare/lockbox
kubernetes
Last synced: 4 days ago
JSON representation
Offline encryption of Kubernetes Secrets
- Host: GitHub
- URL: https://github.com/cloudflare/lockbox
- Owner: cloudflare
- License: bsd-3-clause
- Created: 2019-11-21T21:21:01.000Z (about 5 years ago)
- Default Branch: trunk
- Last Pushed: 2024-10-14T15:58:57.000Z (about 2 months ago)
- Last Synced: 2024-11-05T05:50:31.930Z (about 1 month ago)
- Topics: kubernetes
- Language: Go
- Homepage:
- Size: 138 KB
- Stars: 175
- Watchers: 12
- Forks: 10
- Open Issues: 3
-
Metadata Files:
- Readme: README.org
- License: LICENSE
Awesome Lists containing this project
- awesome-repositories - cloudflare/lockbox - Offline encryption of Kubernetes Secrets (Go)
README
#+TITLE: Lockbox
[[https://pkg.go.dev/github.com/cloudflare/lockbox][https://pkg.go.dev/badge/github.com/cloudflare/lockbox.png]]
Lockbox is a secure way to store Kubernetes Secrets offline. Secrets are asymmetrically encrypted, and can only be decrypted by the Lockbox Kubernetes controller. A companion CLI tool, =locket=, makes encrypting secrets a one-step process.
** Features
+ Secure encryption using modern cryptography. Uses Salsa20, Poly1305, and Curve25519.
+ Secrets are locked to specific namespaces.
+ All Kubernetes Secret types are supported.
+ Plays nicely with Secrets created by other controllers.
+ Continuously reconciles child resources.** Example Usage
Create a native Secret, but pass =--dry-run= to avoid submitting to the API.#+begin_example
$ kubectl create secret generic mysecret --namespace default \
--from-literal=foo=bar --dry-run -o yaml > mysecret.yaml
#+end_exampleThen, use locket to encrypt the secret.
#+begin_example
$ locket -f mysecret.yaml > mylockbox.yaml
#+end_exampleSubmit the lockbox to the API.
#+begin_example
$ kubectl create -f mylockbox.yaml
#+end_exampleRemove the unencrypted secret.
#+begin_example
$ rm mysecret.yaml
#+end_example