externalsecret-operator

command module
v0.1.0-alpha.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 5, 2020 License: Apache-2.0 Imports: 13 Imported by: 0

README

External Secret Operator

github actions Go Report Card codecov

This operator reads information from a third party service like AWS Secrets Manager or AWS SSM and automatically injects the values as Kubernetes Secrets.

Table of Contents

Quick start

Using Kustomize

Install the operator CRDs
  • Install CRDs
make install

What does it do?

Given a secret defined in AWS Secrets Manager:

% aws secretsmanager create-secret \
  --name=example-externalsecret-key \
  --secret-string='this string is a secret'

and updated aws credentials to be used in config/credentials/kustomization.yaml with valid AWS credentials:

%cat config/credentials/kustomization.yaml
resources:
# - credentials-gsm.yaml
- credentials-asm.yaml
# - credentials-dummy.yaml
# - credentials-onepassword.yaml

%cat config/credentials/credentials-asm.yaml
...
credentials.json: |-
    {
      "accessKeyID": "AKIA...",
      "secretAccessKey": "cmFuZG9tS2VZb25Eb2Nz...",
      "sessionToken": "" 
    }

and an SecretStore resource definition like this one:

% cat config/samples/store_v1alpha1_secretstore.yaml
apiVersion: store.externalsecret-operator.container-solutions.com/v1alpha1
kind: SecretStore
metadata:
  name: secretstore-sample
spec:
  controller: staging
  store:
    type: asm
    auth: 
      secretRef: 
        name: externalsecret-operator-credentials-asm
    parameters:
      region: eu-west-2

and an ExternalSecret resource definition like this one:

% cat config/samples/secrets_v1alpha1_externalsecret.yaml
apiVersion: secrets.externalsecret-operator.container-solutions.com/v1alpha1
kind: ExternalSecret
metadata:
  name: externalsecret-sample
spec:
  storeRef: 
    name: externalsecret-operator-secretstore-sample
  data:
    - key: example-externalsecret-key
      version: latest

The operator fetches the secret from AWS Secrets Manager and injects it as a secret:

% make install
% make deploy
% kubectl get secret externalsecret-operator-externalsecret-sample -n externalsecret-operator-system \
  -o jsonpath='{.data.example-externalsecret-key}' | base64 -d
this string is a secret

Architecture

In this article you can find more information about the architecture and design choices.

Here's a high-level diagram of how things are put together.

architecture

CRDs Spec

Supported Backends

We would like to support as many backends as possible and it should be rather easy to write new ones. Currently supported or planned backends are:

1Password [REVIEWING]

Prerequisites
  • An existing 1Password team account.
  • A 1Password account specifically for the operator. Tip: Setup an email with the + convention: john.doe+operator@example.org
  • Store the secret key, master password, email and url of the operator account in your existing 1Password account. This screenshot shows which fields should be used to store this information.
  • Our naming convention for the item account is 'External Secret Operator' concatenated with name of the Kubernetes cluster for instance 'External Secret Operator minikube'. This item name is also used for development.
  • Install CRDs
  make install

Deployment
  • Uncomment and update credentials to be used in config/credentials/kustomization.yaml:
resources:
# - credentials-gsm.yaml
# - credentials-asm.yaml
# - credentials-dummy.yaml
- credentials-onepassword.yaml
  • Update the onepassword credentials config/credentials/credentials-onepassword.yaml with valid secretKey and masterPassword
%cat config/credentials/credentials-onepassword.yaml
...
credentials.json: |-
    {
      "secretKey": "${OP_SECRET_KEY}",
      "masterPassword": "${OP_MASTER_PASSWORD}"
    }
  • Update the SecretStore resource definition config/samples/store_v1alpha1_secretstore.yaml
% cat  `config/samples/store_v1alpha1_secretstore.yaml
apiVersion: store.externalsecret-operator.container-solutions.com/v1alpha1
kind: SecretStore
metadata:
  name: secretstore-sample
spec:
  controller: staging
  store:
    type: onepassword
    auth: 
      secretRef: 
        name: externalsecret-operator-credentials-onepassword
    parameters:
      vault: Personal
      email: email@email-provider.com
      domain: domain.onepassword.com
  • Update the ExternalSecret resource definition config/samples/secrets_v1alpha1_externalsecret.yaml
% cat config/samples/secrets_v1alpha1_externalsecret.yaml
apiVersion: secrets.externalsecret-operator.container-solutions.com/v1alpha1
kind: ExternalSecret
metadata:
  name: externalsecret-sample
spec:
  storeRef: 
    name: externalsecret-operator-secretstore-sample
  data:
    - key: example-externalsecret-key
      version: latest
  • The operator fetches the secret from 1password and injects it as a secret:
% make deploy
% kubectl get secret externalsecret-operator-externalsecret-sample -n externalsecret-operator-system \
  -o jsonpath='{.data.example-externalsecret-key}' | base64 -d

GCP Secret Manager

Prerequisites

  • Enabled and configured secret manager API on your GCP project. Secret Manager Docs

  • Install CRDs

  make install

Deployment
  • Uncomment and update credentials to be used in config/credentials/kustomization.yaml:
resources:
- credentials-gsm.yaml
# - credentials-asm.yaml
# - credentials-dummy.yaml
# - credentials-onepassword.yaml
  • Update the gsm credentials config/credentials/credentials-gsm.yaml with service account key JSON
%cat config/credentials/credentials-gsm.yaml
...
credentials.json: |-
    {
      "type": "service_account"
      ....
    }
  • Update the SecretStore resource definition config/samples/store_v1alpha1_secretstore.yaml
% cat  `config/samples/store_v1alpha1_secretstore.yaml
apiVersion: store.externalsecret-operator.container-solutions.com/v1alpha1
kind: SecretStore
metadata:
  name: secretstore-sample
spec:
  controller: staging
  store:
    type: gsm
    auth: 
      secretRef: 
        name: externalsecret-operator-credentials-gsm
    parameters:
      projectID: external-secrets-operator
  • Update the ExternalSecret resource definition config/samples/secrets_v1alpha1_externalsecret.yaml
% cat config/samples/secrets_v1alpha1_externalsecret.yaml
apiVersion: secrets.externalsecret-operator.container-solutions.com/v1alpha1
kind: ExternalSecret
metadata:
  name: externalsecret-sample
spec:
  storeRef: 
    name: externalsecret-operator-secretstore-sample
  data:
    - key: example-externalsecret-key
      version: latest
  • The operator fetches the secret from GCP Secret Manager and injects it as a secret:
% make install
% make deploy
% kubectl get secret externalsecret-operator-externalsecret-sample -n externalsecret-operator-system \
  -o jsonpath='{.data.example-externalsecret-key}' | base64 -d

Contributing

Yay! We welcome and encourage contributions to this project!

See our contributing document and Issues for planned improvements and additions.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
apis
secrets/v1alpha1
Package v1alpha1 contains API Schema definitions for the secrets v1alpha1 API group +kubebuilder:object:generate=true +groupName=secrets.externalsecret-operator.container-solutions.com
 Package v1alpha1 contains API Schema definitions for the secrets v1alpha1 API group +kubebuilder:object:generate=true +groupName=secrets.externalsecret-operator.container-solutions.com
store/v1alpha1
Package v1alpha1 contains API Schema definitions for the store v1alpha1 API group +kubebuilder:object:generate=true +groupName=store.externalsecret-operator.container-solutions.com
 Package v1alpha1 contains API Schema definitions for the store v1alpha1 API group +kubebuilder:object:generate=true +groupName=store.externalsecret-operator.container-solutions.com
controllers
secrets
store
pkg
asm
Package asm implements an external secret backend for AWS Secrets Manager.
 Package asm implements an external secret backend for AWS Secrets Manager.
backend
Package backend implements the logic and data structures to handle external backend backends.
 Package backend implements the logic and data structures to handle external backend backends.
config
dummy
Package dummy implements an example backend that can be used for testing purposes.
 Package dummy implements an example backend that can be used for testing purposes.
gsm
Package gsm implements backend for Google Secrets Manager
 Package gsm implements backend for Google Secrets Manager
internal
onepassword
Package onepassword implements a secrets backend for One Password.
 Package onepassword implements a secrets backend for One Password.
register
utils
version

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.