Skip to content
/ cloud-secrets-operator Public

A Kubernetes operator for managing Kubernetes Secrets and the associated AWS Secrets Manager secrets.

License

Apache-2.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

laconc/cloud-secrets-operator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
.github/workflows
.github/workflows
 
 
app
app
 
 
deploy/crds
deploy/crds
 
 
.dockerignore
.dockerignore
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

Repository files navigation

cloud-secrets-operator

Note: This project is under active development. Features and behavior may change frequently. Not all functionality has been implemented.

Overview

The operator provides a declarative interface for managing secrets from external secret sources (such as AWS Secrets Manager) and syncing them into your cluster as Kubernetes Secrets, with built-in support for secret generation, rotation, and validation.

It introduces two custom resource definitions (CRDs): CloudSecret and CloudSecretProvider.

Features

  • Declarative secret syncing from external providers to Kubernetes Secrets
  • Automatic periodic syncing and optional key rotation
  • Fine-grained control over individual secret keys
  • Support for custom generation, rotation, and validation logic via containers

Getting Started

Will be fleshed out in a future release.

Custom Resources

CloudSecretProvider

Defines a connection to an external secrets provider.

Example:

apiVersion: 64f.dev/v1alpha1
kind: CloudSecretProvider
metadata:
  name: aws-provider
spec:
  provider:
    awsSecretsManager:
      region: us-west-2
      auth:
        secretName: aws-credentials

CloudSecret

Defines a Kubernetes Secret sourced from an external provider.

Spec Highlights:

  • Sync secrets by referencing a provider (CloudSecretProvider) and a secret name
  • Provides for global and per-key configuration for secret generation, rotation, and validation
    • Configuration can consist of secret length, regex patterns, or calling containers for custom logic
apiVersion: 64f.dev/v1alpha1
kind: CloudSecret
metadata:
  name: my-app-secret
spec:
  targets:
    - name: my-k8s-secret
      namespace: current-namespace
  source:
    name: my-aws-secret
  providerRef:
    name: aws-provider
  strict: true # If true, only the specified keys must exist in the external source
  refreshInterval: 5m
  actions:
    create:
      minimum: 32
      maximum: 96
    rotate:
      minimum: 32
      maximum: 96
  keys:
    - name: APP_PASSWORD # Uses the global `actions` config
      rotateInterval: 7d

    - name: API_TOKEN # We define per-key config, which overrides the global config
      rotateInterval: 90d
      actions:
        create:
          pattern: "^[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}$"
        rotate:
          pattern: "^[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}$"

    - name: ENCRYPTION_KEY # Assumes the key was explicitly added in the external source. Won't be automatically rotated.
      actions:
        validate:
          container:
            image: my-validation-image:latest
            command: ["./validate-secret"]

Development

Regenerate CRDs

After making changes to the CRD specs at app/src/crds.rs, you can regenerate the CRD manifests with:

make crdgen

About

A Kubernetes operator for managing Kubernetes Secrets and the associated AWS Secrets Manager secrets.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Languages