A Kubernetes operator to template secrets dynamically.
This Kubernetes operator allows you to create secrets dynamically from templates.
Secrets can be used as environment variables for Pods, using envFrom or
valueFrom. Sometimes it is desired to create an environemnt variable based on
one or more secrets. While it is possible to use variable substitution to
combine one or more environment variables, it is quite cumbersome to include
this in your Pod spec, especially if you need to rewrite secret names. In
addition, all the variables necessary will pollute the environemt of the Pod.
The spec is quite similar to a regular Secret.
apiVersion: k8s.basilfx.net/v1alpha1
kind: TemplatedSecret
metadata:
name: <name>
namespace: <namespace>
spec:
data:
key1: <template>
key2: <template>
...
keyN: <template>A template is a regular string that can contain one or more variable references
that will be replaced. A variable is defined as
$(namespace > secretRef > key), or $(secretRef > key) if the secretRef is
within the same namespace as the template.
Using $(..) as syntax for variable references does not conflict with the
Sprig templating language as used by Helm and others. Note that advanced
manipulation of variables is not supported.
Although it is possible to use a TemplatedSecret just like a regular Secret,
it should not be used as such. Furthermore, the values are treated as regular
strings (not Base64 encoded).
If any of the variables cannot be resolved, the Secret will not be created
(or updated). It will be re-queued for reconcilliation. Furthermore, if the
TemplatedSecret would overwrite an existing Secret (not owned by the
TemplatedSecret), it will not continue. In both cases, the status of the
TemplatedSecret will be updated.
It is also possible to define additional metadata. See the example below:
apiVersion: k8s.basilfx.net/v1alpha1
kind: TemplatedSecret
metadata:
name: <name>
namespace: <namespace>
spec:
template:
type: Opaque
metadata:
name: <another-name>
labels:
app: some-app
data:
key1: <template>
key2: <template>
...
keyN: <template>Given the following Secrets:
apiVersion: v1
kind: Secret
metadata:
name: common-secrets
namespace: default
type: Opaque
stringData:
host: example.org
---
apiVersion: v1
kind: Secret
metadata:
name: other-secrets
namespace: admin
type: Opaque
stringData:
token: 123hello456worldThe TemplatedSecret below will deploy and control another Secret, based on
the template you define:
apiVersion: k8s.basilfx.net/v1alpha1
kind: TemplatedSecret
metadata:
name: templated-secret
namespace: default
spec:
data:
connectionString: "http://$(common-secrets > host)?token=$(admin > other-secrets > token)"The easiest way to get started, is to use the Dockerfile and build the
application in Docker. Simply run docker build . --tag image:tag.
Alternatively, to run make run to build and start this service.
This project depends on the Operator SDK. Refer to this project for more information.
A Helm chart is provided in the helm/ folder.
- Reconcile when any referenced secrets update.
- Template is only applicable for new secrets.
See the LICENSE.md file (MIT license).