Kubernetes Credentials
Homepage |
Twitter |
Code of Conduct |
Contribution Guidelines
Manifold gives you a single account to purchase and manage cloud services from
multiple providers, giving you managed logging, email, MySQL, Postgres,
Memcache, Redis, and more. Manifold also lets you register configurations for
your services external to Manifold's marketplace, giving you a single location
to organize and manage the credentials for your environments.
This package allows you to load Manifold credentials
into your Kubernetes cluster. These credentials will be stored as a Kubernetes
secrets so you can use them as such in your deployments.
Usage
We've utilised Kubernetes' CRD
implementation to allow you to define fine grained control over your
credentials. As with our Terraform provider,
we allow you to filter out projects, resources and specific credentials you want
to load.
Getting started
To use this, you'll need an account with
Manifold and some configuration
stored there. You can provision free or paid plans, or insert and manage your
own configuration values.
You'll also want to install the Manifold CLI
so that you can generate auth tokens.
Defining credentials
Defining credentials happens through our Custom Resource Definition. We have
two ways of defining how you would like to get credentials.
Note: Currently, Kubernetes does not provide a way to validate CRDs. Because
of this, we advise you to double check your definitions and monitor the output
of the controller if you experience issues. Adding validation
is a work in progress. Once
this is added to the Kubernetes core, we'll look at providing this as well.
Note: The minimum requirement to define a specific credential is its key.
If you provide a name, this name will be used as a key reference in the k8s
secret. A default value can also be provided. If a default value is provided for
a key that does not exist in the Manifold credentials list, this default value
will be used to populate the credential.
Project
You can load multiple credentials at once for a specific project, as described
in this manifest file.
Resource
If you only want to get the credentials from a specific resource, you can do
this as described in this manifest file.
Referencing the credentials
Once you've set up the controller (see setting up the controller),
the controller will start looking for the resources defined earlier and write
the values from Manifold to the respective Kubernetes secret. This means that
when a credential changes, the secret will also be updated automatically with
the new value.
By using exsiting Kubernetes secrets, we allow you to use the Manifold
credentials as secrets. We've provided an example manifest file.
Installation
Setting up the Manifold Auth Token to retrieve the credentials
First, you'll need to create a new Auth Token:
$ manifold tokens create
Once you have the token, you'll want to create a new Kubernetes Secret:
$ kubectl create secret generic manifold-secrets --from-literal=api_token=<AUTH_TOKEN> --from-literal=team=<MANIFOLD_TEAM>
Note: The team value is optional. If a team is provided in the controller
(see below), only resources that define this team will be picked up and used
to load the credentials. If no team is defined, this is ignored.
Setting up the controller
Next, you'll need to set up the controller. The controller takes care of
monitoring your Resource Definitions and populating the correct Kubernetes
Secrets with Manifold Credentials. Without it, nothing will happen.
$ kubectl create -f https://raw.githubusercontent.com/manifoldco/kubernetes-credentials/master/credentials-controller.yml
Note: You can customise this credentials-controller file. This is a general
purpose ReplicaSet. K8S_NAMESPACE
and MANIFOLD_AUTH_TOKEN
are required
environment variables.
Releasing
To release a new version of this package, use the Make target release
:
$ VERSION=0.1.2 make release
This will update the Version in version.go
, commit the changes and set up a
new tag.