Skip to content

bbl/secretize

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

31 Commits
.assets
.assets
 
 
.github/workflows
.github/workflows
 
 
cmd/secretize
cmd/secretize
 
 
examples
examples
 
 
internal
internal
 
 
pkg
pkg
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation


Secretize is a kustomize plugin that helps generating kubernetes secrets from various sources.
It's like a swiss army knife, but for kubernetes secrets.

Sources

Secretize is able to generate secrets using the following providers:

It is possible to use multiple providers at once.

Installation

Install secretize to your $XDG_CONFIG_HOME/kustomize/plugin folder:

  1. Export the XDG_CONFIG_HOME variable if it's not already set:
export XDG_CONFIG_HOME=~/.config
  1. Download the release binary into the kustomize plugin folder:
export SECRETIZE_DIR="$XDG_CONFIG_HOME/kustomize/plugin/secretize/v1/secretgenerator" mkdir -p "$SECRETIZE_DIR" curl -L https://github.com/bbl/secretize/releases/download/v0.0.1/secretize-v0.0.1-linux-amd64.tar.gz | tar -xz -C $SECRETIZE_DIR

Usage

All providers can generate two types of secrets: literals and kv (Key-Value secrets).
Literal secrets simply generate a single string output, while KV secrets will output with a dictionary of the key-value pairs.

The full configuration API could be found in the examples/secret-generator.yaml file.

AWS Secrets Manager

Fetching literal secrets is as simple, as using a default kustomize secretGenerator plugin:

apiVersion: secretize/v1 kind: SecretGenerator metadata: name: aws-sm-secrets sources: - provider: aws-sm literals: - mySecret - newName=mySecret

The above config would query AWS Secrets Manager provider to get the mySecret string value. As a result, the following manifest will be generated:

apiVersion: v1 kind: Secret metadata: name: aws-sm-secrets data: mySecret: c2VjcmV0X3ZhbHVlXzE= # a sample base64 encoded data  newName: c2VjcmV0X3ZhbHVlXzE=

Now let's assume that value of mySecret is a json string:

{ "secret_key_1":"secret_value_1", "secret_key_2": "secret_value_2" }

The generator config can be slightly modified, to generate a kv secret:

apiVersion: secretize/v1 kind: SecretGenerator metadata: name: aws-sm-secrets sources: - provider: aws-sm kv: - mySecret

As a result, the following secret is generated:

apiVersion: v1 kind: Secret metadata: name: aws-sm-secrets data: secret_key_1: c2VjcmV0X3ZhbHVlXzE= secret_key_2: c2VjcmV0X3ZhbHVlXzI=

Azure Vault

Azure Vault configuration is pretty similar to the above examples. However, there's additional params field, which is used to specify the Vault Name:

apiVersion: secretize/v1 kind: SecretGenerator metadata: name: aws-sm-secrets sources: - provider: azure-vault params: name: vault-name kv: - kv-secrets # will treat this as JSON, the same way as in the AWS example literals: - literal-secret-1 - new_name=literal-secret-1

Hashicorp Vault

Some providers only support key-value output, e.g. Hashicorp Vault and K8S Secret. For instance, the mySecret in Hashicorp Vault might look like the following:

vault kv get secret/mySecret ====== Data ====== Key Value --- ----- secret_key_1 secret_value_1 secret_key_2 secret_value_2

Querying provider's kv secrets will generate the corresponding key-value data:

apiVersion: secretize/v1 kind: SecretGenerator metadata: name: hashicorp-vault-secrets sources: - provider: hashicorp-vault kv: - secret/data/mySecret # you need to specify the full path in hashicorp vault provider
apiVersion: v1 kind: Secret metadata: name: hashicorp-vault-secrets data: secret_key_1: c2VjcmV0X3ZhbHVlXzE= secret_key_2: c2VjcmV0X3ZhbHVlXzI=

However you're able to query a certain literal in the key-value output using the following syntax: secret-name:key, e.g.:

apiVersion: secretize/v1 kind: SecretGenerator metadata: name: hashicorp-vault-secrets sources: - provider: hashicorp-vault literals: - secret/data/mySecret-1:secret_key_1

As a result, the following manifest will be generated:

apiVersion: v1 kind: Secret metadata: name: hashicorp-vault-secrets data: secret_key_1: c2VjcmV0X3ZhbHVlXzE=

Kubernetes Secret

Kubernetes secret provider is similar to the Hashicorp Vault. Additionally, this provider expects the params field with the namespace specification.
You're able to get the entire secret data using the kv query, or get a particular key using the literals query with the : delimiter syntax:

# The original secret in a default namespace # apiVersion: v1 kind: Secret metadata: name: original-secret namespace: default data: secret_key_1: c2VjcmV0X3ZhbHVlXzE= secret_key_2: c2VjcmV0X3ZhbHVlXzI= --- # Secret generator configuration # apiVersion: secretize/v1 kind: SecretGenerator metadata: name: kubernetes-secrets sources: - provider: k8s-secret params: namespace: default kv: - original-secret literals: - new_name=original-secret:secret_key_1 --- # Generated secret # apiVersion: v1 kind: Secret metadata: name: kubernetes-secrets data: secret_key_1: c2VjcmV0X3ZhbHVlXzE= secret_key_2: c2VjcmV0X3ZhbHVlXzI= new_name: c2VjcmV0X3ZhbHVlXzE=

Env

The environment variables plugin is similar to the AWS and Azure plugins. The literals would simply fetch corresponding environment variables, while kv would treat each variable as JSON and try to parse it:

apiVersion: secretize/v1 kind: SecretGenerator metadata: name: env-secrets sources: - provider: env kv: - MY_KV_SECRET literals: - MY_LITERAL_SECRET

Secretize will fetch the corresponding environment variables during the kustomize build command:

export MY_KV_SECRET='{"secret_key_1":"secret_value_1", "secret_key_2": "secret_value_2"}' export MY_LITERAL_SECRET=super_secret kustomize build

The following secret is generated:

apiVersion: v1 kind: Secret metadata: name: env-kv-secrets data: MY_LITERAL_SECRET: c3VwZXJfc2VjcmV0 secret_key_1: c2VjcmV0X3ZhbHVlXzE= secret_key_2: c2VjcmV0X3ZhbHVlXzI=

About

Kubernetes secrets generator plugin for kustomize

Topics

kubernetes secret-management kubernetes-secrets hashicorp-vault kustomize kustomize-plugin k8s-secret azure-vault

Resources

Readme

License

MIT license
Activity

Stars

71 stars

Watchers

3 watching

Forks

6 forks
Report repository

Releases 2

v0.0.2 Latest
Mar 7, 2021
+ 1 release

Contributors 2

  •  
  •  

Languages