g8s
Introduction
g8s
= generators for gates. G8s is a Kubernetes runtime application which provides two main pieces of functionality meant to be used in conjunction with each other:
- Automatically generate values for certain kinds of secrets that apps depend on.
- Enable cluster admins to propagate these secrets to any apps that need them.
It aims to be useful in the following situations when an app needs a certain value X in order to run:
- You don't necessarily care what value X is, you just need a valid X to be there so that the app can start.
- You don't have access to the value of X but the app needs it in order to work properly, e.g. X is a secret owned by admins but also needed by devs.
Getting Started
Prerequisites
- Kubernetes cluster, v1.24 and above
Installation
curl https://raw.githubusercontent.com/jrodonnell/g8s/main/hack/install.sh | bash
And then?
- Create some objects in the
g8s
namespace, see the /manifests/samples
folder for some examples
- Create a namespace with the
g8s-injection: enabled
label or add it to an existing one
kubectl edit allow g8s-master
to set some propagation rules into that namespace
- If the rule is valid, backend Secrets should immediately propagate into the namespace
- Deploy an app with labels that match your propagation rules into the namespace you created in step 2 and voilà!
Uninstallation
curl https://raw.githubusercontent.com/jrodonnell/g8s/main/hack/uninstall.sh | bash
Description
Secret Creation
G8s comes with its own CustomResourceDefinitions which are all backed by regular Kubernetes Secret objects. At this time, the custom types are Login
, SelfSignedTLSBundle
, and SSHKeyPair
.
For more information about these types as well as their backing Secret objects, see the Technical Specification in this repo's wiki. For some examples on how to create some g8s objects, see the
/manifests/samples
directory.
Upon creation of one of these g8s types, the controller creates two Secrets: one which acts as the backend for the g8s type and one that stores its history. The backend Secret will contain
the values generated and follows the naming pattern of $TYPE-$NAME
; e.g. for a Login
object named root
, the backend Secret will be called login-root
. The history Secret appends
-history
to this same name, so following this same example the history Secret would be called login-root-history
. The history Secret currently only provides a source of redundancy, but
will be used more extensively in the future when rotation for g8s types is implemented.
Secret Propagation
G8s types will always stay in the namespace in which they are created, but their backend Secrets can be copied into other namespaces for other apps to use.
The Allowlist
type is where these propagation rules are defined. There are currently a few assumptions hard-coded in (but could be configurable in the future):
- You can create g8s objects in any namespace, but only those in the
g8s
namespace can be propagated.
- Only one Allowlist, which must be called
g8s-master
, is supported.
- Namespaces must have the label
g8s-injection: enabled
in order to receive propagated Secrets.
All propagated Secrets are owned by the Allowlist and will have an ownerReference
set as such. Propagation takes place when the Allowlist is created or updated. If a target is removed
from the Allowlist, its previously propagated Secret will be deleted.
The Allowlist also serves as a configuration source for a MutatingWebhookConfiguration called g8s-webhook
. This webhook watches all Pod admissions in namespaces with the label g8s-injection: enabled
, checks to see if it matches any Target in the Allowlist based on the selector, and mutates the Pod accordingly if so. It will add Volumes for the backend Secret, VolumeMounts to
/var/run/secrets/g8s/$SECRETNAME
, and EnvVars for each value of the Secret. EnvVar naming follows the pattern of $SECRETNAME_$DATAFIELD
, e.g. LOGIN_ROOT_PASSWORD
.
There is also a ValidatingWebhookConfiguration which checks the Allowlist to ensure that the g8s
namespace is not targeted in any propagation rules and that the selectors in the targets
are valid.
License
Copyright 2024 James Riley O'Donnell.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.