• Stars
    star
    197
  • Rank 197,696 (Top 4 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 4 years ago
  • Updated 6 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A Kubernetes operator to sync secrets from AWS Secrets Manager

Kube-secret-syncer

Kube-secret-syncer is a Kubernetes operator developed using the Kubebuilder framework that keeps the values of Kubernetes Secrets synchronised to secrets in AWS Secrets Manager.

This mapping is described in a Kubernetes custom resource called SyncedSecret. The operator polls AWS for changes in secret values at regular intervals, and upon detecting changes, updates the Kubernetes Secrets.

WARNING: updating the value of a secret in AWS SecretsManager will override secrets in Kubernetes, therefore can be a destructive action.

Comparison to existing projects

Kube-secret-syncer is similar to other projects such as:

Kube-secret-syncer improves on this approach:

  • uses caching to only retrieve the value of secrets when they have changed, substantially reducing costs when syncing a large number of secrets.
  • enables sophisticated access control to secrets in AWS SecretsManager using IAM roles - see our security model
  • supports templated fields for Kubernetes secrets - enabling the use of values from multiple AWS SecretsManager secrets in one Kubernetes Secret

Defining mapping between an AWS SecretsManager secret and a Kubernetes Secret

The following resource will map the AWS Secret secretsyncer/secret/sample to the Kubernetes Secret demo-service-secret, and copy all key-value pairs from the AWS SecretsManager secret to the Kubernetes secret For this example, the AWS SecretsManager secret needs to be a valid JSON consisting only of key-value pairs.

To access the secrets, kube-secret-syncer will assume the role iam_role to poll the secret. Note: that role must be assumed by the Kubernetes cluster/node where the operator runs, eg part of the kube2iam annotation on the namespace.

apiVersion: secrets.contentful.com/v1
kind: SyncedSecret
metadata:
  name: demo-service-secret
  namespace: kube-secret-syncer
spec:
  IAMRole: iam_role
  dataFrom:
    secretRef:
      name: secretsyncer/secret/sample

If you only need to retrieve select keys in a single AWS secret, or multiple keys from different AWS secrets, you can use the following syntax:

apiVersion: secrets.contentful.com/v1
kind: SyncedSecret
metadata:
  name: demo-service-secret
  namespace: kube-secret-syncer
spec:
  IAMRole: iam_role
  data:
    # Sets the key mysql_user for the Kubernetes Secret "demo-service-secret" to "contentful"
    - name: mysql_user
      value: "contentful"
    # Takes the value for key "password" from the Secrets Manager secret "mysql", assign to the
    # key "mysql_pw" of the Kubernetes secret "demo-service-secret"
    - name: mysql_pw
      valueFrom:
        secretKeyRef:
          name: mysql
          key: password
    - name: datadog_access_key
      valueFrom:
        secretKeyRef:
          name: datadog
          key: access_key

You can also chose to store non-JSON values in AWS Secret Manager, which might be more convenient for data such as certificates.

apiVersion: secrets.contentful.com/v1
kind: SyncedSecret
metadata:
  name: demo-service-secret
  namespace: kube-secret-syncer
spec:
  IAMRole: iam_role
  data:
    # Sets the key ssl-certificate for the Kubernetes Secret "demo-service-secret"
    # to the value of the secret "apache/ssl-cert"
    - name: ssl-certificate
      valueFrom:
        secretRef:
          name: apache/ssl-cert

Templated fields

Kube-secret-syncer supports templated fields. This allows, for example, to iterate over a list of secrets that share the same tag, to output a configuration file, such as in the following example:

apiVersion: secrets.contentful.com/v1
kind: SyncedSecret
metadata:
  name: pgbouncer.txt
  namespace: kube-secret-syncer
spec:
  IAMRole: iam_role
  data:
    - name: pgbouncer-hosts
      valueFrom:
        template: |
          {{- $cfg := "" -}}
          {{- range $secretID, $_ := filterByTagKey .Secrets "tag1" -}}
            {{- $secretValue := getSecretValueMap $secretID -}}
            {{- $cfg = printf "%shost=%s user=%s password=%s\n" $cfg $secretValue.host $secretValue.user $secretValue.password -}}
          {{- end -}}
          {{- $cfg -}}

This iterates over all secrets kube-secret-syncer has access to, select those that have the tag "tag1" set, and for each of these, add a configuration line to $cfg. $cfg is then assigned to the key "pgbouncer-hosts" of the Kubernetes secret pgbouncer.txt.

The template is a Go template with the following elements defined:

  • .Secrets - a map containing all listed secrets (without their value)
  • filterByTagKey - a helper function to filter the secrets by tag
  • getSecretValue - will retrieve the raw value of a Secret in SecretsManager, given its secret ID
  • getSecretValueMap - will retrieve the value of a Secret in SecretsManager that contains a JSON, given its secret ID - as a map

Caching

Kube-secret-syncer maintains both the list of AWS Secrets as well as their values in cache. The list is updated every POLL_INTERVAL_SEC, and values are retrieved whenever their VersionID changed.

Security model

By default, kube-secret-syncer will use the Kubernetes node's IAM role to list and retrieve the secrets. However, when synced secrets have an IAMRole field defined, kube-secret-syncer will assume that role before retrieving the secret. This implies that the role specified by IAMRole can be assumed by the role of the Kubernetes node kube-secret-syncer runs on.

To ensure a specific namespace only has access to the secrets it needs to, kube-secret-syncer will use the "iam.amazonaws.com/allowed-roles" annotation on the namespace (originally used by kube2iam) to validate that this role can be assumed for that namespace.

The secret synchronisation will be allowed if:

  • the annotation is set on the namespace and contains the secrets IAMRole
  • no annotation is set on the namespace and the secret has a IAMRole set
  • no annotation is set on the namespace and the secret has no IAMRole set

The secret sync will be denied if:

  • the annotation is set on the namespace and does not contains the secrets IAMRole
  • the annotation is set on the namespace and the secret has no IAMRole set

Configuration

Kube-secret-syncer supports the following environment variables:

  • POLL_INTERVAL_SEC: how often the list of secrets in cache is refreshed (default: 300)
  • SYNC_INTERVAL_SEC: how often we will write to a Kubernetes secret (default: 120)
  • NS_ANNOTATION: the annotation on the namespace that contains a list of IAM roles kube-secret-syncer is allowed to assume (default: iam.amazonaws.com/allowed-roles)
  • METRICS_LISTEN: what interface/port the metrics server shoult listen on (default: :8080)

Note - when a secret in Secrets Manager is updated, the secret in Kubernetes will not be updated until both the list of secrets is refreshed AND the sync_interval expires - therefore it might take up to POLL_INTERVAL_SEC + SYNC_INTERVAL_SEC.

Local development

Please refer to the local development documentation.

Examples

See sample configurations and deployment example.

More Repositories

1

Concorde

Download and decode progressive JPEGs on iOS.
Objective-C
1,441
star
2

gqli.rb

Ruby GraphQL Client for Humans
Ruby
212
star
3

contentful-aws-lambda-static

An experiment in static site genration using Contentful and AWS Lambda
JavaScript
129
star
4

coredns-nodecache

Nodelocal DNS implementation as a CoreDNS plugin
Go
75
star
5

terraform-diff

Always know where you need to run Terraform plan & apply!
Go
64
star
6

contentful-go

Contentful api SDK for GoLang
Go
44
star
7

contentful-metalsmith-example

Simple project to show the usage of the contentful-metalsmith plugin
HTML
32
star
8

terraform-contentful

Terraform provider for Contentful
Go
29
star
9

ui-editable-table

A UI-Extension to enrich the editor with an editable table
HTML
28
star
10

product-catalogue-web.ts

Demo application in Typescript / Angular2 to consume spaces from Contentful which implement the product catalogue template.
TypeScript
27
star
11

file-upload-example

Example application to demonstrate the new direct file upload feature of Contentful.
JavaScript
21
star
12

keepachangelog

Parse, modify, and create change logs
JavaScript
20
star
13

contentful-importer.rb

Generic Contentful importer.
Ruby
19
star
14

contentful.py

This project is unofficial and currently unsupported, the official SDK can be found here: https://github.com/contentful/contentful.py
Python
18
star
15

continous-delivery-environments-example

An example application for how you can Integrating migrations in your continous delivery pipeline.
JavaScript
18
star
16

gazette

Contentful Gazette: bidirectional real-time content management and delivery
JavaScript
16
star
17

gitify-dependencies

CLI tool for replacing node dependencies with their respective git repositories.
JavaScript
15
star
18

md-to-html-lambda

JavaScript
8
star
19

webhook-apigateway-lambda-slack.js

Demo setup of an integration of Contentful's webhooks with a slack channel.
JavaScript
8
star
20

zappa-contentful

Example application showing how to build an entirely serverless site with Python, Flask, and Contentful. Then seamlessly deploy it to AWS Lambda/API Gateway using Zappa.
CSS
8
star
21

gatsby-starter-contentful-knowledge-base

A gatsby starter for knowledge base apps powered by Contentful.
JavaScript
7
star
22

lookbook-example

Browser app example for createing a Lookbook with Contenful https://www.contentful.com/blog/2015/09/10/creating-a-digital-lookbook/
JavaScript
7
star
23

continous-delivery-environments-tutorial-starter

Starting Repo for continous delivery pipeline tutorial. For a completed project see https://github.com/contentful-labs/continous-delivery-environments-example
Python
7
star
24

contentful-action-example

Example repo showcasing how to use Contentful Action Repo
JavaScript
6
star
25

cosmonaut

Explore the awesome depths of Spaces (to be read in Neil deGrasse Tyson's voice)
JavaScript
6
star
26

cdn-webinar-store-demo

The "Store" demo from the Content Delivery API Webinar on 2014.07.10
CSS
6
star
27

contentful-cardboard

Google Cardboard VR displaying entries from Contentful
Java
5
star
28

droidstory

Sample Android app using Vault.
Java
5
star
29

ui-country-select

A UI-Extension to enrich the editor with a country select
HTML
5
star
30

super-chemex-bot

Our friendly bot-overlord notifying people when there is freshly brewed coffee in the kitchen.
JavaScript
4
star
31

ui-reference-quick-select

A UI-Extension to enrich the editor with a reference quick select
HTML
4
star
32

contentful-algolia-integration

JavaScript
3
star
33

cma_import_script

Sample script using the contentful management api to create a space with data.
Ruby
3
star
34

spec-super-chemex-bot

Super Chemex Bot - Slack Spec Edition
JavaScript
3
star
35

contentful_mirror

Contentful Module for Magic Mirror
JavaScript
2
star
36

reposite-contentful-template

Reposite template for Contentful repositories
CSS
2
star
37

jumpgate-app

WIP - Design system app exploration
TypeScript
2
star
38

kramdown-instant-article

A Kramdown converter optimised for Facebook Instant Articles
Ruby
2
star
39

contextual-help

Content type contextual help UI extension
JavaScript
2
star
40

floating-editor-extension

JavaScript
1
star
41

Atom-Exporter

An Atom package for exporting your current workspace (or sub folder of it) into Contentful
CoffeeScript
1
star
42

scheduling_app

Scheduled publishing using Contentful's API and Middleman
Ruby
1
star
43

slack-bot-command-example

Gomix Slack Command Example
JavaScript
1
star
44

contentful_aframevr_middleman

Contentful + AFrame VR + Middleman example
Ruby
1
star
45

duplicate-space-cli

A bash script that will create a new space and duplicate the content model from your reference space.
Shell
1
star