sync-secrets-controller

module
v0.2.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 15, 2020 License: Apache-2.0

README

Secret synchronisation controller

GoReleaser Workflow Go Report Card Go Version Card

Overview

Sometimes, we need to access to a secret from an another namespace, which is impossible because secret are namespaced and only accessible to the secret's namespace. For example, if we have a CA certificate in the namespace A and we want to use it in the namespace B, in order to create a new certificate, we need to create a new secret in B with the content of A. Moreover, because the original secret can be updated, we always need to sync it to the namespace B, manually.

That is why this controller exists. Thanks to annotations on a secret, it can automatically synchronise the secret over several namespaces. However, I do not recommend to use this controller for anything ; Kubernetes Secret's restrictions are here for a good reason and this controller breaks one of theses restrictions.

Annotations

These annotations cannot be used together

secret.sync.klst.pw/all-namespaces: 'true': Synchronize the current secret over all namespace secret.sync.klst.pw/namespace-selector: LABEL_SELECTOR: Synchronize the current secret over all namespace validating the given label selector

Features

This controller can:

  • Synchronize a secret over all namespaces
  • Synchronize a secret on specifics namespaces, thanks label selectors
  • Synchronize on a new namespace when a secret is already "synchronized"
  • Automatically update "slave" secrets when the original is update
  • Automatically restore "slave" secret when it is manually modified
  • Automatically remove "slave" secrets when the original is removed
  • Automatically remove/update "slave" secrets when the original secret annotations are modified/removed
  • Automatically recreate "slave" secret when it is removed

Example

apiVersion: v1
kind: Secret
metadata:
  annotations:
    secret.sync.klst.pw/namespace-selector: require-creds=admin
  name: admin-creds
  namespace: default
type: Opaque
data:
  username: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm

This secret will be synchronized on all namespaces with the label require-creds: admin. For more information about label selector, see Kubernetes label selector

How to install

You can install the deployment in a kubernetes cluster with the following commands

kubectl apply -f https://github.com/xunleii/sync-secrets-controller/tree/master/deploy/rbac.yaml
kubectl apply -f https://github.com/xunleii/sync-secrets-controller/tree/master/deploy/deployment.yaml

This controller is still under development and may introduce breaking changes between versions. Please check the CHANGELOG before updating.

Apache License 2.0

Directories

Path Synopsis
cmd
controller
pkg
controller
registry
registry keeps a local version of all the managed secret states.
 registry keeps a local version of all the managed secret states.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.