upmc-enterprises/kubernetes-secret-manager upmc-enterprises/kubernetes-secret-manager

  • Stars
    star
    231
  • Rank 173,434 (Top 4 %)
  • Language
    Go
  • License
    Other
  • Created over 8 years ago
  • Updated over 6 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
upmc-enterprises/kubernetes-secret-manager
github

upmc-enterprises

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Manage secrets with Vault inside a Kubernetes cluster

Kubernetes Secret Manager

Build Status

Problem

Typically usernames and passwords to resources are statically tied to a service account. These passwords rarely change and are usually difficult to rotate in an application stack. Sometimes, we're not even sure how many components are utilizing that service account which makes rotate even more difficult and teams end up not changing due to fear of downtime and errors.

Ideally we want a solution which allows us to rotate credentials dynamically and do so in a secure well-thought out way.

Goals

The main motivation of this project is to allow dynamic secrets to be requested from a MySQL database and enable a pod inside a Kubernetes cluster to consume those dynamic passwords. The secrets should be tied to a lease so they expire after a pre-defined ttl and the secrets should be rotated before a max ttl is met.

The implementation should be done so that the pod does not have to understand a specific secret generation tool (e.g. Hashicorp Vault). The application only needs to understand how to read from a file as well as get notified when that file changes.

Features

  • Dynamically pull usernames & passwords from a MySQL database
  • Fetch static secrets from Vault and mirror as Kubernetes secrets

Implementation

This project uses Vault as it's secret distibution tool with the MySQL Secret Backend enabled. It's deployed via a custom ThirdPartyResource and kubernetes controller which implements the Vault API. Credentials are exposed to pods via simple Kubernetes secrets. The application in the pod is only responsible for refreshing it's application state when those credentials are rotated.

Video Walkthrough

Kubernetes Secret Manager

Usage

TL;DR

  1. Deploy mysql (kubectl create -f deployments/mysql.yaml)
  • Deploy Vault (kubectl create -f deployments/vault.yaml)
  • Configure Vault (kubectl exec -it <vaultPodName> /bin/dumb-init /bin/sh)
    • Run config script: setup-vault.sh
  • Deploy Controller:
    • Get the vault root token & copy to args section in deployment yaml (kubectl logs <vaultPodName>)
    • Create deployment: kubectl create -f deployments/secret-manager.yaml
  • Create sample app (kubectl create -f sample-app/deployments/sample-app.yaml)
    • NOTE: This creates 2 custom secrets will in turn request two MySQL accounts from Vault, a readonly and full access account. It will also request a static secret from Vault. They will be stored in Kubernetes secrets named: db-readonly-credentials, db-full-credentials, && foo-secret

Thanks!

Special thanks goes out to Kelsey Hightower for the base ideas of this project: (https://github.com/kelseyhightower/kube-cert-manager)

About

Built by UPMC Enterprises in Pittsburgh, PA. http://enterprises.upmc.com/

More Repositories

1

elasticsearch-operator

manages elasticsearch clusters
Go
656
star
2

registry-creds

Allow for AWS ECR, Google Registry, & Azure Container Registry credentials to be refreshed inside your Kubernetes cluster via ImagePullSecrets
Go
347
star
3

kong-operator

manages kong clusters
Go
89
star
4

kubeadm-aws

Bootstrap a Kubernetes cluster on AWS using Terraform and kubeadm
HCL
73
star
5

emmie

Continuously deploy feature branches to your Kubernetes cluster
Go
41
star
6

kubernetes-on-aws

Bootstrap a Kubernetes cluster on AWS via Cloudformation scripts
Shell
33
star
7

gradle-slack-uploader-plugin

Uploads artifacts from a Gradle build as a file to a Slack channel
Kotlin
15
star
8

android-emulator-builder

Go from zero to Android emulator, automatically. Ideal for CI setup, automated testing, OS image creation, and other hands-off scenarios.
Shell
11
star
9

elasticsearch-cron

CronJob container to perform snapshots of an elasticsearch cluster
Go
10
star
10

kubernetes-fluentd

Send logs files from a Kubernetes cluster via Fluentd
Ruby
9
star
11

ATNA2FHIR

ATNA (DICOM) AuditMessage to FHIR AuditEvent converter
JavaScript
7
star
12

gradle-test-coverage-reporter-plugin

Extracts unit test coverage metrics from a JaCoCo report and displays a summary in the build output
Kotlin
5
star
13

captain-whisker

JSON templating for node.js REST APIs
JavaScript
5
star
14

softkeyboard

The Android SDK sample soft keyboard resurrected for API 21 and above
Java
5
star
15

graceful-shutdown-spring-boot-starter

Java
4
star
16

cerebro-docker

Docker image for: https://github.com/lmenezes/cerebro
Makefile
1
star