A Kustomize Plugin to get Secrets out of various Secret Managers
Each Kubernetes secret object is represented by one object of kind EncryptedSecret.
The metadata.name and metadata.namespace of the object will be the name and namespace of
the Kubernetes secret, with a possible suffix hash. The key names are each represented by
a secret in a Secrets Manager, see below for naming.
- Google Secret Manager
- AWS Secrets Manager
- The Go plugin has to be built with the exact same version of Go modules as Kustomize.
- We intend to add more versions to the releases as Kustomize progresses.
- Kustomize versions
v3.5.4
- Go version 1.13 or higher
- Kustomize updates all references to a secret's name in all other Kubernetes objects, even when a suffix hash is used.
- You can disable the suffix hash by setting
disableNameSuffixHash: true, see examples. - You can set the Kubernetes secret
typefor TLS secrets and the like, see examples. - You can set the Kustomize
behavior:toreplace,merge, orcreate(default iscreate.)
- To name each Secret Manager secret
- Use lower case in key names
- Take the metadata.name of your
EncyptedSecretand join it to the key name using an underscore - Replace all instances of
.and/in key names with_
- Also see examples
- Example: an
EncryptedSecretobject namedmy-secretswith keyscreds.jsonandca.crttranslate to secrets in a Secrets Manager namedmy-secrets_creds_jsonandmy-secrets_ca_crtrespectively, and the YAML file would look like this:
apiVersion: crd.forgecloud.com/v1
kind: EncryptedSecret
metadata:
name: my-secrets
namespace: default
source: GCP
gcpProjectID: my-gcp-project-id
keys:
- creds.json
- ca.crtThese files are then referenced in a kustomization.yaml under generators:.
The plugin uses Go libraries provided by GCP and AWS, both of which automatically try various forms of authentication.
- Run
gcloud auth application-default login, follow the instructions, done, OR - Set the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable to the path of a GCP Service or User Account credentials file. - For additional options and more information, see the library docs.
- Setup an
~/.aws/credentialsfile, done, OR - For additional options and more information, see "Configuring Credentials" here.
- Kustomize expects the Go plugin to be here:
$XDG_CONFIG_HOME/kustomize/plugin/crd.forgecloud.com/v1/encryptedsecret/EncryptedSecret.so.- For more information, see the docs.
- On most Unix systems,
$XDG_CONFIG_HOMEis~/.config, but you can set it to wherever you like. We often just build the plugin in place and setXDG_CONFIG_HOME=., as seen below. - Build and run the plugin without Docker like this:
git clone git@github.com:ForgeCloud/ksecrets.git
cd ksecrets
go get -gcflags="all=-N -l" sigs.k8s.io/kustomize/kustomize/v3@v3.5.4
cd kustomize/plugin/crd.forgecloud.com/v1/encryptedsecret
go build -gcflags="all=-N -l" -buildmode plugin -o EncryptedSecret.so encryptedsecret.go
cd ../../../../..
# assuming your Kustomize configs are in ./kustomize
XDG_CONFIG_HOME=. kustomize build --enable_alpha_plugins kustomize/overlays/my-overlay- Build and run the plugin with Docker like this, swapping out your email address if using GCP:
git clone git@github.com:ForgeCloud/ksecrets.git
cd ksecrets
docker build -t my-image-repo:latest .
# assuming your Kustomize configs are in ./kustomize
# for GCP
docker run -it --rm -v $(pwd):/mnt \
-v $HOME/.config/gcloud/legacy_credentials/myemail@example.com/adc.json:/credentials/adc.json \
-e GOOGLE_APPLICATION_CREDENTIALS=/credentials/adc.json \
my-image-repo:latest \
-- 'kustomize build --enable_alpha_plugins /mnt/kustomize/overlays/my-overlay'
# for AWS
docker run -it --rm -v $(pwd):/mnt \
-v $HOME/.aws/credentials:/root/.aws/credentials \
my-image-repo:latest \
-- 'kustomize build --enable_alpha_plugins /mnt/kustomize/overlays/my-overlay'