The k8s-secret-rotation-controller controller is a Kubernetes operator designed to manage secrets stored in AWS Secret Manager. It automates the rotation process of these secrets, ensuring they are regularly updated and synchronized with their Kubernetes counterparts. This controller integrates with AWS services such as STS (Security Token Service) and Secrets Manager to securely manage credentials and secret data.
The k8s-secret-rotation-controller controller is a Kubernetes operator built to simplify the management and rotation of secrets stored in AWS Secret Manager. This controller operates by reconciling custom resources of type AWSSecretGuardian, which define the parameters for secret rotation.
Here's a brief overview of the key functionalities:
-
Secret Rotation: The controller periodically rotates secrets stored in AWS Secret Manager according to predefined schedules specified in the
AWSSecretGuardiancustom resources. -
AWS Integration: It interacts with AWS services such as STS (Security Token Service) to authenticate and obtain user ARNs and Secrets Manager to manage secrets.
-
Kubernetes Integration: The controller ensures synchronization between secrets stored in AWS and their Kubernetes counterparts. It creates or updates Kubernetes secrets based on the rotated values from AWS Secret Manager.
-
Customizable Rotation Parameters: Users can define rotation parameters such as secret name, region, rotation interval (TTL), and keys (attributes) within the
AWSSecretGuardiancustom resources. -
Error Handling: The controller includes error handling mechanisms to manage various scenarios, such as failed authentication, secret creation/update errors, and AWS service errors.
-
Logging and Monitoring: It provides detailed logging using the Kubernetes logging framework to facilitate monitoring and troubleshooting.
By leveraging the AWSSecretGuardian controller, Kubernetes users can streamline the management of secrets stored in AWS, ensuring robust security practices and regulatory compliance.
You’ll need a Kubernetes cluster to run against. You can use KIND to get a local cluster for testing, or run against a remote cluster.
Note: Your controller will automatically use the current context in your kubeconfig file (i.e. whatever cluster kubectl cluster-info shows).
- Install Instances of Custom Resources:
kubectl apply -f config/samples/- Build and push your image to the location specified by
IMG:
make docker-build docker-push IMG=<some-registry>/k8s-secret-rotation-controller:tag- Deploy the controller to the cluster with the image specified by
IMG:
make deploy IMG=<some-registry>/k8s-secret-rotation-controller:tagTo delete the CRDs from the cluster:
make uninstallUnDeploy the controller from the cluster:
make undeploy// TODO(user): Add detailed information on how you would like others to contribute to this project
This project aims to follow the Kubernetes Operator pattern.
It uses Controllers, which provide a reconcile function responsible for synchronizing resources until the desired state is reached on the cluster.
- Install the CRDs into the cluster:
make install- Run your controller (this will run in the foreground, so switch to a new terminal if you want to leave it running):
make runNOTE: You can also run this in one step by running: make install run
If you are editing the API definitions, generate the manifests such as CRs or CRDs using:
make manifestsNOTE: Run make --help for more information on all potential make targets
More information can be found via the Kubebuilder Documentation
Copyright 2024.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.