Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/tumblr/k8s-secret-projector
Kubernetes Secret generation from secure credential repos
https://github.com/tumblr/k8s-secret-projector
config-generator k8s kubernetes secrets secrets-management
Last synced: 3 months ago
JSON representation
Kubernetes Secret generation from secure credential repos
- Host: GitHub
- URL: https://github.com/tumblr/k8s-secret-projector
- Owner: tumblr
- License: apache-2.0
- Created: 2018-11-08T17:36:33.000Z (about 6 years ago)
- Default Branch: master
- Last Pushed: 2019-01-30T16:08:15.000Z (almost 6 years ago)
- Last Synced: 2024-06-15T11:32:45.914Z (5 months ago)
- Topics: config-generator, k8s, kubernetes, secrets, secrets-management
- Language: Go
- Homepage:
- Size: 52.7 KB
- Stars: 72
- Watchers: 13
- Forks: 3
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE.txt
Awesome Lists containing this project
- awesome-repositories - tumblr/k8s-secret-projector - Kubernetes Secret generation from secure credential repos (Go)
README
# k8s-secret-projector
Create managed Kubernetes Secrets from mapping files and your credentials repos
       [](http://godoc.org/github.com/tumblr/k8s-secret-projector)
# What is this?
At Tumblr, we wanted a way to allow applications to declare their dependencies on secrets (passwords, certificates, etc) without needing to create configurations that are aware of specific secret files. A system like this will allow automation to ensure applications always have the appropriate secrets at runtime, while enabling automated systems (cert refreshers, DB password rotations, etc) to automatically manage and update these credentials, and not require the application to redeploy/restart. Additionally, we wanted a system to limit the scope and access of any application to the minimum set of credentials necessary to run, minimizing a compromise blast radius.
To solve this problem, we created a system to enable developers to declare their application's secret dependencies, without needing access to the secret files in our secure credential stores. The `k8s-secret-projector` is a tool that:
- Has access to your credential repos (typically git repo on disk)
- Reads your `ProjectionManifest` YAMLs (typically in a separate git repo)
- Creates a set of Kubernetes `Secret` manifests by processing `ProjectionManifest` along with your credential repos
- Optionally encrypts those Secrets before they touch disk (if your applications have decrypt-before-use ability for your secrets)
It is meant to operate in a larger system of CI/CD in your organization. The following diagram explains a typical setup:
```
+------------------------+
| | +---------------------------------------------+
| Secret Manifests Repo | | |
| (projection manifests) | | Typical Workflow for k8s-secret-projector |
| | | use in CI/CD pipelines |
+-----+------------------+ | |
| +---------------------------------------------+
| Webhook/similar to trigger
| CI/CD jobs on merge to master +------------------+
| | |
| | Credentials Repo |
| +----------------------+ +-------------------+ | (staging) |
+-----v----------------+ | | | +---------------> |
| | | k8s-secret-projector | | Check out | +-------------+----+
| Jenkins/Travis CI/CD +-------------> docker image +-----------------> Credentials Repos +---------+ |
| | | | | | | |
+----------------------+ +----------------------+ +--------+----------+ +----v-------------+ |
| | | |
Job runs in container, | | Credentials Repo | |
sets up workspace | | (production) | |
| | | |
| +----------+-------+ |
| | |
| +------------------+ | |
| | | | |
+----> Credentials Repo | | |
| (development) | | |
| | | |
+----------------+-+ | |
| | |
| | |
| | |
+-----------------------+ +----------------------------------+ | | |
| | | <--+ | |
| Use kubectl to deploy <---------------+ Run k8s-secret-projector <-------+ |
| generated secrets | | (generate secret YAML resources) <---------------------+
| | | |
+-----------------------+ +------------------^---------------+
|
|
| This should be the commit that
| triggered the CI job in Jenkins
|
|
+------------+-----------+
| |
| Secret Manifests Repo |
| (projection manifests) |
| |
+------------------------+
```
## Features
* Allow peer review and audit of exactly what namespaces have access to what secrets
* Allow developers to make requests for credentials access without exposing/accessing the credentials in question
* Enable applications to consume secrets in a structured format
* Allow encryption of secrets at in transit (and at rest) to the Kubernetes API
* Extract specific secrets from larger structured sources (YAML, JSON) via `JSONPath` notation
* Consume structured secrets in alternate formats at runtime (YAML/JSON/text), independent of source format
* Structured field extraction via `jsonpath` notation
## Examples
See docs at [docs/](/docs/examples.md)!
# Build
Builds are performed by Travis and Docker Hub. If you want to build this yourself, see below.
## Linux Native
```bash
$ GOOS=linux GOARCH=amd64 make
$ file bin/k8s-secret-projector
bin/k8s-forward-zone-generator: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
```
## Docker
Docker images are built and pushed to the Hub automatically. 
If you want to build this yourself, locally:
```bash
$ make docker
...
Successfully built 8ce7a5f5542c
Successfully tagged tumblr/k8s-secret-projector:v0.1.0-13-g1f564dc
```
## Plugins
We build plugins for use with the encryption module system. `make plugins` should do the needful.
The shared objects will be dropped in `/*.so`. They should be referenced by the ProjectionManifest's `Encryption.PluginFile` field.
# Development
See docs at [docs/hacking.md](/docs/hacking.md)!
# Maintainers
See [MAINTAINERS.md](/MAINTAINERS.md)
# License
[Apache 2.0](/LICENSE.txt)
Copyright 2019, Tumblr, Inc.