Skip to content

A tool to inject cloud-based secrets into Kubernetes pods

Notifications You must be signed in to change notification settings

h0n9/cloud-secrets-manager

Repository files navigation

Cloud Secrets Manager 🌤🔐🐳

This simple yet powerful tool Cloud Secrets Manager aims to simplify the way to inject secrets strored on Cloud-based secrets managers into Kubernetes Pods, functioning as HashiCorp Vault's Agent Sidecar Injector.

Also, it provides a convenient CLI tool with features like list and edit to make secret management easier than using the Cloud Console. If you want to jump into the CLI tool, please refer to the CLI Tool section right away.

Contents

Supported Cloud Providers

Current

Planned

Concept

Constitution

  • cloud-secrets-controller
  • cloud-secrets-injector

Step-by-step

  1. cloud-secrets-controller watches incoming /mutate, /validate webhooks from Kubernetes API server.
  2. When pods are created or updated in a namespace labeled with cloud-secrets-injector: enabled, Kubernetes API server sends requests to cloud-secrets-controller webhook server.
  3. cloud-secrets-controller mutates the pod's manifests by injecting an init container cloud-secrets-injector into the pod and mounting a temporary directory as a volume on the init and origin containers.
  4. When it comes to initializing the pods, the init container cloud-secrets-injector requests secret values, with a secret key id, from secret providers and stores them in the temporary directory.
  5. Once cloud-secrets-injector has successfully completed its role, the origin container starts running as defined on the manifest.

Installation

Prerequisites

  • Kubernetes Cluster
  • kubectl
  • helm

Using Helm chart

kubectl create namespaces cloud-secrets-manager
helm repo add h0n9 https://h0n9.github.io/helm-charts
helm upgrade --install -n cloud-secrets-manager cloud-secrets-manager h0n9/cloud-secrets-manager

You can check out the official Helm chart repository h0n9/helm-charts.

By pressing the ⭐️ Star button above, be the first to get notified of launch of other new charts.

Usage

Annotations

The following annotatins are required to inject cloud-secrets-injector into pods:

Key Required Description Example
cloud-secrets-manager.h0n9.postie.chat/provider true Cloud Provider Name aws
cloud-secrets-manager.h0n9.postie.chat/secret-id true Secret Name very-precious-secret
cloud-secrets-manager.h0n9.postie.chat/template true Template for secret value {{ range $k, $v := . }}{{ $k }}={{ $v }} {{ end }}
cloud-secrets-manager.h0n9.postie.chat/output true File path for output /secrets/env
cloud-secrets-manager.h0n9.postie.chat/decode-base64 false Decode base64-encoded secret value true or false
cloud-secrets-manager.h0n9.postie.chat/injected false Identifier for injection false

Annotations for Multiple Secrets Injection

From the version v0.4, multiple secrets can be injected into pods by defining the annotations as follows:

cloud-secrets-manager.h0n9.postie.chat/provider: aws
cloud-secrets-manager.h0n9.postie.chat/secret-id: secrets-env
cloud-secrets-manager.h0n9.postie.chat/output: /secrets/env
cloud-secrets-manager.h0n9.postie.chat/template: |
  {{ range $k, $v := . }}export {{ $k }}={{ $v }}
  {{ end }}
cloud-secrets-manager.h0n9.postie.chat/provider-config-app: aws
cloud-secrets-manager.h0n9.postie.chat/secret-id-config-app: secrets-config
cloud-secrets-manager.h0n9.postie.chat/output-config-app: /config/application.yaml
cloud-secrets-manager.h0n9.postie.chat/template-config-app: |
  {{ .application-yaml }}
cloud-secrets-manager.h0n9.postie.chat/provider-config-secrets: aws
cloud-secrets-manager.h0n9.postie.chat/secret-id-config-secrets: secrets-config
cloud-secrets-manager.h0n9.postie.chat/output-config-secrets: /config/secrets.yaml
cloud-secrets-manager.h0n9.postie.chat/template-config-secrets: |
  {{ .secrets-yaml }}

Just add <secret-name> at the end of each annotation key, like cloud-secrets-manager.h0n9.postie.chat/provider-<secret-name>. That's it!

Annotation for Decoding Base64-encoded Secret Value

From the version v0.6, you can decode base64-encoded secret values by setting the cloud-secrets-manager.h0n9.postie.chat/decode-base64 annotation to true.

cloud-secrets-manager.h0n9.postie.chat/provider-cert: aws
cloud-secrets-manager.h0n9.postie.chat/secret-id-cert: very-precious-secret
cloud-secrets-manager.h0n9.postie.chat/output-cert: /secrets/precious.cer
cloud-secrets-manager.h0n9.postie.chat/template-cert: |
  {{ .base64-encoded-precious-cert }}
cloud-secrets-manager.h0n9.postie.chat/decode-base64-cert: "true"
cloud-secrets-manager.h0n9.postie.chat/provider-key: aws
cloud-secrets-manager.h0n9.postie.chat/secret-id-key: very-precious-secret
cloud-secrets-manager.h0n9.postie.chat/output-key: /secrets/precious.key
cloud-secrets-manager.h0n9.postie.chat/template-key: |
  {{ .base64-encoded-precious-key }}
cloud-secrets-manager.h0n9.postie.chat/decode-base64-key: "true"

This feature is useful when you want to inject a base64-encoded secret value as a file into a pod.

Providers

Supported providers require the annotations mentioned above in common. However, the authentication method may differ depending on the provider. Please refer the following explanation.

CLI Tool

Installation

Cloud Secrets Manager can be installed via Homebrew:

$ brew install h0n9/devops/cloud-secrets-manager

That's it! You can now use the cloud-secrets-manager or csm commands.

For aws-vault users, you can use the following command to execute the cloud-secrets-manager command with the specified AWS profile:

$ aws-vault exec <profile> -- csm <command>

List Secrets

$ csm secrets list --provider aws --limit 3
dev/hello-world
dev/very-precious-secret
dev/another-secret

The --limit option is available to limit the number of secrets to be listed.

Edit Secret

$ csm secrets edit --provider aws --secret-id dev/very-precious-secret

A text editor will be opened with the secret value. After editing, save and close the editor to update the secret value. If you want to cancel the editing, just close the editor without saving.

If you want to use a specific editor, set the EDITOR environment variable.

$ export EDITOR=nano
$ csm secrets edit --provider aws --secret-id dev/very-precious-secret