• Stars
    star
    737
  • Rank 61,490 (Top 2 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created about 7 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Kubernetes controller for synchronizing secrets & config maps across namespaces

ConfigMap, Secret and Role, RoleBinding and ServiceAccount replication for Kubernetes

Build Status

This repository contains a custom Kubernetes controller that can be used to make secrets and config maps available in multiple namespaces.

Contents

  1. Deployment
    1. Using Helm
    2. Manual
  2. Usage
    1. "Role and RoleBinding replication
    2. "Push-based" replication
    3. "Pull-based" replication
      1. 1. Create the source secret
      2. 2. Create empty secret
      3. Special case: TLS secrets

Deployment

Using Helm

  1. Add the Mittwald Helm Repo:

    $ helm repo add mittwald https://helm.mittwald.de
    "mittwald" has been added to your repositories
    
    $ helm repo update
    Hang tight while we grab the latest from your chart repositories...
    ...Successfully got an update from the "mittwald" chart repository
    Update Complete. ⎈ Happy Helming!⎈
  2. Upgrade or install kubernetes-replicator helm upgrade --install kubernetes-replicator mittwald/kubernetes-replicator

Manual

$ # Create roles and service accounts
$ kubectl apply -f https://raw.githubusercontent.com/mittwald/kubernetes-replicator/master/deploy/rbac.yaml
$ # Create actual deployment
$ kubectl apply -f https://raw.githubusercontent.com/mittwald/kubernetes-replicator/master/deploy/deployment.yaml

Usage

Role and RoleBinding replication

To create a new role, your own account needs to have at least the same set of privileges as the role you're trying to create. The chart currently offers two options to grant these permissions to the service account used by the replicator:

  • Set the value grantClusterAdminto true, which grants the service account admin privileges. This is set to false by default, as having a service account with that level of access might be undesirable due to the potential security risks attached.

  • Set the lists of needed api groups and resources explicitely. These can be specified using the value privileges. privileges is a list that contains pairs of api group and resource lists.

    Example:

    serviceAccount:
      create: true
      annotations: {}
      name:
      privileges:
        - apiGroups: [ "", "apps", "extensions" ]
          resources: ["secrets", "configmaps", "roles", "rolebindings",
          "cronjobs", "deployments", "events", "ingresses", "jobs", "pods", "pods/attach", "pods/exec", "pods/log", "pods/portforward", "services"]
        - apiGroups: [ "batch" ]
          resources:  ["configmaps", "cronjobs", "deployments", "events", "ingresses", "jobs", "pods", "pods/attach", "pods/exec", "pods/log", "pods/portforward", "services"]

    These settings permit the replication of Roles and RoleBindings with privileges for the api groups "". apps, batch and extensions on the resources specified.

"Push-based" replication

Push-based replication will "push out" the secrets, configmaps, roles and rolebindings into namespaces when new namespaces are created or when the secret/configmap/roles/rolebindings changes.

There are two general methods for push-based replication:

  • name-based; this allows you to either specify your target namespaces by name or by regular expression (which should match the namespace name). To use name-based push replication, add a replicator.v1.mittwald.de/replicate-to annotation to your secret, role(binding) or configmap. The value of this annotation should contain a comma separated list of permitted namespaces or regular expressions. (Example: namespace-1,my-ns-2,app-ns-[0-9]* will replicate only into the namespaces namespace-1 and my-ns-2 as well as any namespace that matches the regular expression app-ns-[0-9]*).

    Example:

    apiVersion: v1
    kind: Secret
    metadata:
      annotations:
        replicator.v1.mittwald.de/replicate-to: "my-ns-1,namespace-[0-9]*"
    data:
      key1: <value>
  • label-based; this allows you to specify a label selector that a namespace should match in order for a secret, role(binding) or configmap to be replicated. To use label-based push replication, add a replicator.v1.mittwald.de/replicate-to-matching annotation to the object you want to replicate. The value of this annotation should contain an arbitrary label selector.

    Example:

    apiVersion: v1
    kind: Secret
    metadata:
      annotations:
        replicator.v1.mittwald.de/replicate-to-matching: >
          my-label=value,my-other-label,my-other-label notin (foo,bar)
    data:
      key1: <value>

When the labels of a namespace are changed, any resources that were replicated by labels into the namespace and no longer qualify for replication under the new set of labels will be deleted. Afterwards any resources that now match the updated labels will be replicated into the namespace.

It is possible to use both methods of push-based replication together in a single resource, by specifying both annotations.

"Pull-based" replication

Pull-based replication makes it possible to create a secret/configmap/role/rolebindings and select a "source" resource from which the data is replicated from.

Step 1: Create the source secret

If a secret or configMap needs to be replicated to other namespaces, annotations should be added in that object permitting replication.

  • Add replicator.v1.mittwald.de/replication-allowed annotation with value true indicating that the object can be replicated.

  • Add replicator.v1.mittwald.de/replication-allowed-namespaces annotation. Value of this annotation should contain a comma separated list of permitted namespaces or regular expressions. For example namespace-1,my-ns-2,app-ns-[0-9]*: in this case replication will be performed only into the namespaces namespace-1 and my-ns-2 as well as any namespace that matches the regular expression app-ns-[0-9]*.

    apiVersion: v1
    kind: Secret
    metadata:
      annotations:
        replicator.v1.mittwald.de/replication-allowed: "true"
        replicator.v1.mittwald.de/replication-allowed-namespaces: "my-ns-1,namespace-[0-9]*"
    data:
      key1: <value>

Step 2: Create an empty destination secret

Add the annotation replicator.v1.mittwald.de/replicate-from to any Kubernetes secret or config map object. The value of that annotation should contain the the name of another secret or config map (using <namespace>/<name> notation).

apiVersion: v1
kind: Secret
metadata:
  name: secret-replica
  annotations:
    replicator.v1.mittwald.de/replicate-from: default/some-secret
data: {}

The replicator will then copy the data attribute of the referenced object into the annotated object and keep them in sync.

Special case: TLS secrets

Secrets of type kubernetes.io/tls are treated in a special way and need to have a data["tls.crt"] and a data["tls.key"] property to begin with. In the replicated secrets, these properties need to be present to begin with, but they may be empty:

apiVersion: v1
kind: Secret
metadata:
  name: tls-secret-replica
  annotations:
    replicator.v1.mittwald.de/replicate-from: default/some-tls-secret
type: kubernetes.io/tls
data:
  tls.key: ""
  tls.crt: ""

Special case: Docker registry credentials

Secrets of type kubernetes.io/dockerconfigjson also require special treatment. These secrets require to have a .dockerconfigjson key that needs to require valid JSON. For this reason, a replicated secret of this type should be created as follows:

apiVersion: v1
kind: Secret
metadata:
  name: docker-secret-replica
  annotations:
    replicator.v1.mittwald.de/replicate-from: default/some-docker-secret
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: e30K

Special case: Strip labels while replicate the resources.

Operators like https://github.com/strimzi/strimzi-kafka-operator implement an own garbage collection based on specific labels defined on resources. If mittwald replicator replicate secrets to different namespace, the strimzi-kafka-operator will remove the replicated secrets because from operators point of view the secret is a left-over. To mitigate the issue, set the annotation replicator.v1.mittwald.de/strip-labels=true to remove all labels on the replicated resource.

apiVersion: v1
kind: Secret
metadata:
  labels:
    app.kubernetes.io/managed-by: "strimzi-kafka-operator"
  name: cluster-ca-certs
  annotations:
    replicator.v1.mittwald.de/strip-labels: "true"
type: kubernetes.io/tls
data:
  tls.key: ""
  tls.crt: ""

Special case: Resource with .metadata.ownerReferences

Sometimes, secrets are generated by external components. Such secrets are configured with an ownerReference. By default, the kubernetes-replicator will delete the ownerReference in the target namespace.

ownerReference won't work across different namespaces and the secret at the destination will be removed by the kubernetes garbage collection.

To keep ownerReferences at the destination, set the annotation replicator.v1.mittwald.de/keep-owner-references=true

apiVersion: v1
kind: Secret
metadata:
  name: docker-secret-replica
  annotations:
    replicator.v1.mittwald.de/keep-owner-references: "true"
  ownerReferences:
    - apiVersion: v1
      kind: Deployment
      name: owner
      uid: "1234"
type: kubernetes.io/tls
data:
  tls.key: ""
  tls.crt: ""

See also: #120

More Repositories

1

kubernetes-secret-generator

Kubernetes controller for automatically generating and updating secrets
Go
292
star
2

kube-httpcache

Varnish Reverse Proxy on Kubernetes
Go
276
star
3

go-helm-client

Go client for accessing the Helm package manager
Go
201
star
4

goharbor-client

Go Client for the Harbor container registry
Go
106
star
5

brudi

Easy, incremental and encrypted backup creation / restoration for different backends (file, mongoDB, mysql, postgres, etc.)
Go
59
star
6

mittnite

Small init system with templated config files; to be used as container entrypoint
Go
30
star
7

vaultPHP

A PHP client library for "Vault by HashiCorp"
PHP
28
star
8

vaultgo

A vault client library for golang
Go
26
star
9

kubernetes-loadwatcher

Automatically taint and evict nodes with high CPU load
Go
25
star
10

go-powerdns

Go client library for accessing the PowerDNS API
Go
20
star
11

servicegateway

Gateway reverse proxy for microservice architectures with Consul integration
Go
20
star
12

kube-av

AntiVirus automation on Kubernetes
Go
19
star
13

vaulTS

A typescript library for vault
TypeScript
18
star
14

typo3-web2pdf

A TYPO3 extension for rendering content as PDF
PHP
18
star
15

harbor-operator

A Kubernetes operator for managing goharbor instances
Go
18
star
16

feature-requests

Sammlung von Feature-Ideen.
15
star
17

salt-microservices

Docker-based microservice deployment with service discovery
SaltStack
15
star
18

neos-onepageagency

A One Page Site-Package for Neos CMS.
JavaScript
11
star
19

node-kubernetes

Kubernetes client library for Node.JS
TypeScript
10
star
20

cli

The mittwald command-line interface
TypeScript
7
star
21

react-use-promise

Simple and declarative use of Promises in your React components. Observe their state and refresh them in various advanced ways.
TypeScript
7
star
22

flow-metamorph

Convert TYPO3 CMS extensions to TYPO3 Flow packages
PHP
6
star
23

salt-percona-formula

Saltstack formula for managing Percona servers
SaltStack
6
star
24

bump-app-version-action

Github Action to set helm-chart version and publish to helm.mittwald.de
Shell
6
star
25

flow-symlink-publishing

TYPO3 Flow package for publishing resources to the filesystem using relative symlinks
PHP
5
star
26

terraform-provider-mittwald

A Terraform provider for the mittwald cloud platform
Go
5
star
27

php-psr7-validation

PSR-7 middlewares for JSON schema validation
PHP
4
star
28

brudi-operator

Mustache
4
star
29

php-jsonmapping

Library for mapping PHP objects to JSON structures
PHP
4
star
30

typo3-varnishcache

TYPO3 extension for managing a Varnish cache
PHP
3
star
31

kube-pod-director

Helper service for directing traffic to stateful applications in Kubernetes
Go
3
star
32

docker-varnish

Docker image for the Varnish reverse proxy
Shell
3
star
33

magento2-cronjobs

Magento 2 cronjob runner compatible to @mittwald infrastructure
Shell
3
star
34

deployer-recipes

Collection of deployer recipes for interacting with the mittwald cloud platform
PHP
3
star
35

flow

A collection of packages related to Flow – the mittwald design system.
TypeScript
3
star
36

pypiserver-helm

This repository holds a helm-chart for pypiserver: https://github.com/pypiserver/pypiserver
Smarty
2
star
37

helm-charts

This repository contains the Helm Charts for Mittwald's services
Mustache
2
star
38

flow-hhvm

TYPO3 Flow package introducing HHVM compatibility.
PHP
2
star
39

golangci-lint-cfg

Shell
2
star
40

magento-cronjobs

Magento cronjob runner compatible to @mittwald infrastructure
Shell
1
star
41

spacectl

CLI client for Mittwald SPACES
Go
1
star
42

flow-t3compat

Provide compatibility APIs for using TYPO3 CMS code in TYPO3 Flow
PHP
1
star
43

developer-portal

The sources for the mittwald developer portal
MDX
1
star
44

typo3-mw-matomo-widget

Mittwald Matomo Widget for TYPO3 Dashboard
PHP
1
star
45

api-client-php

PHP client for the mittwald mStudio v2 API
PHP
1
star
46

flow-jwt-auth

JSON Web Token authentication for TYPO3 Flow
PHP
1
star
47

neos-hhvm-distribution

TYPO3 Neos base distribution with HHVM optimization.
CSS
1
star
48

spaces-auth

Library to use Mittwald SPACES as an OAuth 2.0 identity provider in your own applications
PHP
1
star
49

typo3-mw-cache-widget

Mittwald Cache (APCu & OpCodeCache) widget for the TYPO3 dashboard
PHP
1
star