Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
b0643c7
feat: added autorelaod
nimish-ks Jan 19, 2024
cfaf63f
fix: list index out of range error when referring a non existing secr…
nimish-ks Jan 20, 2024
77542ab
chore: changed redeploy annotation to something more sensible
nimish-ks Jan 20, 2024
24b40f9
chore: bumped version
nimish-ks Jan 20, 2024
54cf7f2
feat: refactored and updated the codebase
nimish-ks Jan 20, 2024
edd4f14
chore: removed unused modules
nimish-ks Jan 20, 2024
ec494f2
chore: removed unused dependencies
nimish-ks Jan 20, 2024
52fbaab
chore: cleanedup useless code
nimish-ks Jan 20, 2024
e298758
chore: added pytest and pyyaml dependency
nimish-ks Jan 20, 2024
ff0c60e
feat: added support for export formats, tags, secret processors etc.
nimish-ks Jan 20, 2024
5a08a57
feat: updated k8s operator
nimish-ks Jan 20, 2024
310e6fd
feat: added unit tests
nimish-ks Jan 20, 2024
88e8e9e
feat: added name transformers, secret processors and secret formats
nimish-ks Jan 21, 2024
d7c01b7
feat: updated the crd
nimish-ks Jan 21, 2024
87edc5d
wip
nimish-ks Jan 21, 2024
c381f96
feat: added support for kubernetes.io/tls secret type
nimish-ks Jan 22, 2024
e0c0b1a
feat: simplified fetch
nimish-ks Jan 22, 2024
be3df68
tmp: moved utils to operator code
nimish-ks Jan 22, 2024
57289aa
feat: added support for secret processors
nimish-ks Jan 22, 2024
c65b903
chore: updated crd template
nimish-ks Jan 22, 2024
553f285
chore: refactored the project
nimish-ks Jan 22, 2024
5ab0418
chore: delete unused operator.py
nimish-ks Jan 22, 2024
ffc4efd
feat: added support for tag based filtering
nimish-ks Jan 22, 2024
dd506a0
fix: Dockerfile
nimish-ks Jan 22, 2024
7c6eb54
feat: added development instructions on the readme
nimish-ks Jan 23, 2024
e202cba
chore: updated the README
nimish-ks Jan 23, 2024
44ac0ac
feat: updated crd to add phaseApp context
nimish-ks Jan 24, 2024
91cf74a
feat: added phase_app in operator
nimish-ks Jan 24, 2024
b23074b
chore: updated cr template
nimish-ks Jan 24, 2024
054031e
chore: updated crd
nimish-ks Jan 24, 2024
f12b47c
chore: bumped version
nimish-ks Jan 24, 2024
d1cf59c
chore: bumped version
nimish-ks Jan 24, 2024
e2eabed
chore: misc readme fixes
rohan-chaturvedi Jan 24, 2024
26c4c72
fix: tags
nimish-ks Jan 24, 2024
ab63c63
fix: reloading
nimish-ks Jan 24, 2024
787f780
feat: added default secret type as opaque
nimish-ks Jan 24, 2024
f6858f6
fix: redeployments
nimish-ks Jan 25, 2024
0854139
feat: updated cr on readme
nimish-ks Jan 27, 2024
6b2f90f
revert: to 60 second polling rate
nimish-ks Jan 27, 2024
8057c21
feat: added default secretType in crd template
nimish-ks Jan 27, 2024
f78ac67
Merge branch 'main' into feat--auto-redeploy
nimish-ks Jan 27, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ WORKDIR /app

# Copy the necessary files
COPY src/ /app/src/
COPY requirements.txt phase_kubernetes_operator.py /app/
COPY requirements.txt /app/

# Install required Python packages
RUN pip install --no-cache-dir -r requirements.txt
Expand All @@ -19,4 +19,4 @@ RUN adduser -D operator-usr
USER operator-usr

# Run the operator script using Kopf
CMD ["kopf", "run", "/app/phase_kubernetes_operator.py"]
CMD ["kopf", "run", "/app/main.py"]
171 changes: 164 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# Phase Kubernetes Operator

### Securely manage and sync environment variables with Phase in your Kubernetes cluster.
### Securely sync secrets and environment variables with Phase in your Kubernetes cluster.

```
⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⠔⠋⣳⣖⠚⣲⢖⠙⠳⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⡴⠉⢀⡼⠃⢘⣞⠁⠙⡆⠀⠘⡆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
Expand All @@ -21,12 +22,168 @@
```

## Features
// To DO

## Installation
// To DO
- Automatically sync secrets to your Kubernetes cluster
- End-to-End encryption
- Automatically redeploy deployments when a secret is updated
- Sync secrets based on environment (dev, staging, prod) and tags
- Transform secrets via secret processors

```yaml
metadata:
annotations:
secrets.phase.dev/redeploy: "true"
```

## Installation:

### 1. Install the Operator via Helm

Add the Phase Helm repository and update it:

```fish
helm repo add phase https://helm.phase.dev && helm repo update
```

Install the Phase Secrets Operator:

```fish
helm install phase-secrets-operator phase/phase-kubernetes-operator --set image.tag=v0.1.0
```

It's best practice to specify the version in production environments to avoid
unintended upgrades. Find available versions on our [GitHub
releases](https://github.com/phasehq/kubernetes-secrets-operator/releases).

### 2. Create a Service Token Secret in Kubernetes

Securely create a Service Token Secret using `read` (recommended for more security as it avoids writing the token to disk or shell history)

Run this command, paste the Phase Service Token and hit enter:

```fish
read -s TOKEN
kubectl create secret generic phase-service-token \
--from-literal=token=$TOKEN \
--type=Opaque \
--namespace=default
unset TOKEN
```

Alternatively, create it directly using `kubectl`:

```fish
kubectl create secret generic phase-service-token \
--from-literal=token=<TOKEN> \
--type=Opaque \
--namespace=default
```

### 3. Deploy the Phase Secrets Operator CR (Custom Resource)

Create a custom resource file: `phase-secrets-operator-cr.yaml`

```yaml
apiVersion: secrets.phase.dev/v1alpha1
kind: PhaseSecret
metadata:
name: example-phase-secret
namespace: default
spec:
phaseApp: "the-name-of-your-phase-app" # The name of your Phase application
phaseAppEnv: "prod" # OPTIONAL - The Phase application environment to fetch secrets from
phaseHost: "https://console.phase.dev" # OPTIONAL - URL of the Phase Console instance
authentication:
serviceToken:
serviceTokenSecretReference:
secretName: "phase-service-token" # Name of the service token with access to your Phase application
secretNamespace: "default"
managedSecretReferences:
- secretName: "my-application-secret" # Name of the Kubernetes managed secret that Phase will sync
secretNamespace: "default"
```

Deploy the custom resource:

```fish
kubectl apply -f phase-secrets-operator-cr.yaml
```

Watch for `my-application-secret` managed secret being created:

```fish
watch kubectl get secrets
```

View the secrets:

```fish
kubectl get secret my-application-secret -o yaml
```

The operator automatically synchronizes secrets every 60 seconds.

## Usage
// To DO
[Phase Kubernetes Operator - Docs](https://docs.phase.dev/integrations/platforms/kubernetes)

Development:
## Development:

1. Install python dependencies

```
pip3 install -r requirements.txt
```

2. Create a local kind cluster (skip if you have one already setup)

```fish
kind create cluster
```

3. Export kindconfig

```
kind get kubeconfig --name "kind" > ~/.kube/config
```

Verify that the cluster is up:

```
kubectl get nodes
```

4. Create a copy of the CR (Custom Resource) and CRD (Custom Resource Definition):

```
cp cr-template.yaml dev-cr.yaml
```

```
cp crd-template.yaml dev-crd.yaml
```

Feel free to make changes

5. Create a secret in kubernetes containing the Phase Service Token

```fish
kubectl create secret generic phase-service-token \
--from-literal=token=<YOUR_PHASE_SERVICE_TOKEN> \
--type=Opaque \
--namespace=default
```

6. Apply the CRD and CR respectively

```fish
kubectl apply -f dev-crd.yaml
```

```fish
kubectl apply -f dev-cr.yaml
```

7. Start the operator via Kopf

```fish
kopf run src/main.py
```
6 changes: 4 additions & 2 deletions cr-template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,15 @@ metadata:
name: example-phase-secret
namespace: default
spec:
phaseAppEnv: "prod" # OPTIONAL - The Phase application environment to fetch secrets from
phaseApp: "your-phase-application" # The name of your Phase application
phaseAppEnv: "production" # OPTIONAL The Phase application environment to fetch secrets from
phaseAppEnvTag: "certs" # OPTIONAL Tag for filtering secrets in the specified Phase app environment.
phaseHost: "https://console.phase.dev" # OPTIONAL - URL of a Phase Console instance
authentication:
serviceToken:
serviceTokenSecretReference:
secretName: "phase-service-token" # Name of the Phase service token with access to your application
secretNamespace: "default"
managedSecretReferences: # Managed secrets in Kubernetes that Phase will sync secrets with
- secretName: "my-application-secret" # Name of the managed secret in Kubernetes that will be consumed by your application
- secretName: "my-application-secret" # Name of the managed secret in Kubernetes that will be consumed by your application
secretNamespace: "default"
Loading