An operator to fetch configuration data from cloud services and inject it in Kubernetes
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci
cmd/externalconfig-operator
config
deploy
pkg
tmp
version
.gitignore
Gopkg.lock
Gopkg.toml
LICENSE.txt
Makefile
README.md

README.md

External Config Operator

CircleCI Go Report Card

I wanted to build an operator that reads information from a third party service like AWS Secrets Manager or AWS SSM and automatically inject the values as Kubernetes Secrets.

That's pretty much what this operator does. This is in very early stage of development and only AWS Secrets Manager is barely supported.

Getting started

I used the Operator SDK to kickstart the project. It automatically uses dep to handle dependencies (which I believe is the right choice, anyway).

To build the project:

make build

This step will build a docker image and a simple deployment manifest.

The whole thing is working on minikube. You need to export your AWS credentials so the operator can access AWS Secrets Manager and target the minikube docker instance:

eval $(minikube docker-env)
export AWS_ACCESS_KEY_ID=AKIACONFIGUREME
export AWS_SECRET_ACCESS_KEY=Secretsecretconfigureme 
export AWS_REGION=eu-west-1
make minikube

This will build the project and deploy the operator and the required rbac roles and custom resource definitions.

What does it do?

Given a secret defined in AWS Secrets Manager:

% aws secretsmanager get-secret-value --secret-id asecret --query SecretString
"secret"

and an ExternalConfig resource definition like this one:

% cat deploy/cr.yaml 
apiVersion: "externalconfig-operator.container-solutions.com/v1alpha1"
kind: "ExternalConfig"
metadata:
  name: "asecret"
spec:
  Key: "asecret"
  Backend: "asm"

The operator fetches the secret from AWS Secrets Manager and injects it as a secret:

% kubectl apply -f deploy/cr.yaml
% kubectl get secret asecret -o=go-template='{{ .data.asecret }}' | base64 -d
secret

What's next

This could be just the beginning. If it seems like a good idea to continue development there are many things to add, for example:

  • more tests
  • proper secrets/configuration backend configuration implementation
  • more secrets/configuration backends
  • helm chart to handle deployment
  • a single ExternalConfig with a list of Secrets
  • support ConfigMaps