This simple yet powerful tool Cloud Secrets Manager aims to simplify the way to inject secrets strored on Cloud-based secrets managers into Kubernetes Pods, functioning as HashiCorp Vault's Agent Sidecar Injector.
Also, it provides a convenient CLI tool with features like list and edit to
make secret management easier than using the Cloud Console. If you want to jump
into the CLI tool, please refer to the CLI Tool section right away.
- AWS(Amazon Web Services): Secrets Manager
- GCP(Google Cloud Platform): Secret Manager
(BETA)
cloud-secrets-controllercloud-secrets-injector
cloud-secrets-controllerwatches incoming/mutate,/validatewebhooks from Kubernetes API server.- When pods are created or updated in a namespace labeled with
cloud-secrets-injector: enabled, Kubernetes API server sends requests tocloud-secrets-controllerwebhook server. cloud-secrets-controllermutates the pod's manifests by injecting an init containercloud-secrets-injectorinto the pod and mounting a temporary directory as a volume on the init and origin containers.- When it comes to initializing the pods, the init container
cloud-secrets-injectorrequests secret values, with a secret key id, from secret providers and stores them in the temporary directory. - Once
cloud-secrets-injectorhas successfully completed its role, the origin container starts running as defined on the manifest.
- Kubernetes Cluster
kubectlhelm
kubectl create namespaces cloud-secrets-manager
helm repo add h0n9 https://h0n9.github.io/helm-charts
helm upgrade --install -n cloud-secrets-manager cloud-secrets-manager h0n9/cloud-secrets-managerYou can check out the official Helm chart repository h0n9/helm-charts.
By pressing the ⭐️ Star button above, be the first to get notified of launch
of other new charts.
The following annotatins are required to inject cloud-secrets-injector into
pods:
| Key | Required | Description | Example |
|---|---|---|---|
cloud-secrets-manager.h0n9.postie.chat/provider |
true | Cloud Provider Name | aws |
cloud-secrets-manager.h0n9.postie.chat/secret-id |
true | Secret Name | very-precious-secret |
cloud-secrets-manager.h0n9.postie.chat/template |
true | Template for secret value | {{ range $k, $v := . }}{{ $k }}={{ $v }} {{ end }} |
cloud-secrets-manager.h0n9.postie.chat/output |
true | File path for output | /secrets/env |
cloud-secrets-manager.h0n9.postie.chat/decode-base64 |
false | Decode base64-encoded secret value | true or false |
cloud-secrets-manager.h0n9.postie.chat/injected |
false | Identifier for injection | false |
From the version v0.4, multiple secrets can be injected into pods by defining
the annotations as follows:
cloud-secrets-manager.h0n9.postie.chat/provider: aws
cloud-secrets-manager.h0n9.postie.chat/secret-id: secrets-env
cloud-secrets-manager.h0n9.postie.chat/output: /secrets/env
cloud-secrets-manager.h0n9.postie.chat/template: |
{{ range $k, $v := . }}export {{ $k }}={{ $v }}
{{ end }}
cloud-secrets-manager.h0n9.postie.chat/provider-config-app: aws
cloud-secrets-manager.h0n9.postie.chat/secret-id-config-app: secrets-config
cloud-secrets-manager.h0n9.postie.chat/output-config-app: /config/application.yaml
cloud-secrets-manager.h0n9.postie.chat/template-config-app: |
{{ .application-yaml }}
cloud-secrets-manager.h0n9.postie.chat/provider-config-secrets: aws
cloud-secrets-manager.h0n9.postie.chat/secret-id-config-secrets: secrets-config
cloud-secrets-manager.h0n9.postie.chat/output-config-secrets: /config/secrets.yaml
cloud-secrets-manager.h0n9.postie.chat/template-config-secrets: |
{{ .secrets-yaml }}Just add <secret-name> at the end of each annotation key, like
cloud-secrets-manager.h0n9.postie.chat/provider-<secret-name>. That's it!
From the version v0.6, you can decode base64-encoded secret values by setting
the cloud-secrets-manager.h0n9.postie.chat/decode-base64 annotation to true.
cloud-secrets-manager.h0n9.postie.chat/provider-cert: aws
cloud-secrets-manager.h0n9.postie.chat/secret-id-cert: very-precious-secret
cloud-secrets-manager.h0n9.postie.chat/output-cert: /secrets/precious.cer
cloud-secrets-manager.h0n9.postie.chat/template-cert: |
{{ .base64-encoded-precious-cert }}
cloud-secrets-manager.h0n9.postie.chat/decode-base64-cert: "true"
cloud-secrets-manager.h0n9.postie.chat/provider-key: aws
cloud-secrets-manager.h0n9.postie.chat/secret-id-key: very-precious-secret
cloud-secrets-manager.h0n9.postie.chat/output-key: /secrets/precious.key
cloud-secrets-manager.h0n9.postie.chat/template-key: |
{{ .base64-encoded-precious-key }}
cloud-secrets-manager.h0n9.postie.chat/decode-base64-key: "true"This feature is useful when you want to inject a base64-encoded secret value as a file into a pod.
Supported providers require the annotations mentioned above in common. However, the authentication method may differ depending on the provider. Please refer the following explanation.
Cloud Secrets Manager can be installed via Homebrew:
$ brew install h0n9/devops/cloud-secrets-managerThat's it! You can now use the cloud-secrets-manager or csm commands.
For
aws-vaultusers, you can use the following command to execute thecloud-secrets-managercommand with the specified AWS profile:
$ aws-vault exec <profile> -- csm <command>$ csm secrets list --provider aws --limit 3
dev/hello-world
dev/very-precious-secret
dev/another-secretThe --limit option is available to limit the number of secrets to be listed.
$ csm secrets edit --provider aws --secret-id dev/very-precious-secretA text editor will be opened with the secret value. After editing, save and close the editor to update the secret value. If you want to cancel the editing, just close the editor without saving.
If you want to use a specific editor, set the EDITOR environment variable.
$ export EDITOR=nano
$ csm secrets edit --provider aws --secret-id dev/very-precious-secret