Vals-Operator
Here at Digitalis we love vals, it's a tool we use daily to keep secrets stored securely. We also use secrets-manager on the Kubernetes deployment we manage. Inspired by these two wonderful tools we have created this operator.
vals-operator syncs secrets from any secrets store supported by vals into Kubernetes. It works very similarly to secrets-manager and the code is actually based on it. Where they differ is that it not just supports HashiCorp Vault but many other secrets stores.
Installation
You can use the helm chart to install vals-operator
. You will need to provide the configuration to access the secrets store you decided on via either environment variables pre existing secrets.
# Example for Vault
helm upgrade --install vals-operator --create-namespace -n vals-operator \
--set "env[0].name=VAULT_ROLE_ID,env[0].value="vals-operator"" \
--set "env[1].name=VAULT_SECRET_ID,env[1].value="my-secret-id"" \
--set "env[2].name=VAULT_ADDR,env[2].value=https://vault:8200"
charts/vals-operator
# Example for AWS using a secret
kubectl create secret generic -n vals-operator aws-creds \
--from-literal=AWS_ACCESS_KEY_ID=foo \
--from-literal=AWS_SECRET_ACCESS_KEY=bar \
--from-literal=AWS_DEFAULT_REGION=us-west-2
helm upgrade --install vals-operator --create-namespace -n vals-operator \
--set "secretEnv[0].secretRef.name=aws-creds" \
charts/vals-operator
Usage
apiVersion: digitalis.io/v1
kind: ValsSecret
metadata:
name: vals-secret-sample
labels:
owner: digitalis.io
spec:
name: my-secret # Optional, default is the resource name
ttl: 3600 # Optional, default is 0. The secret will be checked at every "reconcile period". See below.
type: Opaque # Default type, others supported
data:
username:
ref: ref+vault://secret/database/username
encoding: text
password:
ref: ref+vault://secret/database/password
encoding: text
ssh:
ref: ref+vault://secret/database/ssh-private-key
encoding: base64
aws-user:
ref: ref+awssecrets://kube/test#username
aws-pass:
ref: ref+awssecrets://kube/test#password
The example above will create a secret named my-secret
and get the values from the different sources. The secret will be kept in sync against the backed secrets store.
The TTL
is optional and used to decrease the number of times the operator calls the backend secrets store as some of them such as AWS Secrets Manager will incur a cost.
The default encoding is text
but you can change it to base64
per secret reference. This way you can, for example, base64 encode large configuration files.
Options
The following options are available. See the helm chart documentation for more information on adding them to your deployment configuration.
-exclude-namespaces string
Comma separated list of namespaces to ignore.
-health-probe-bind-address string
The address the probe endpoint binds to. (default ":8081")
-kubeconfig string
Paths to a kubeconfig. Only required if out-of-cluster.
-leader-elect
Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.
-metrics-bind-address string
The address the metric endpoint binds to. (default ":8080")
-reconcile-period duration
How often the controller will re-queue secretdefinition events (default 5s)
-record-changes
Records every time a secret has been updated. You can view them with kubectl describe (default true)
-watch-namespaces string
Comma separated list of namespaces that vals-operator will watch.
-zap-devel
Development Mode defaults(encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn). Production Mode defaults(encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error) (default true)
-zap-encoder value
Zap log encoding (one of 'json' or 'console')
-zap-log-level value
Zap Level to configure the verbosity of logging. Can be one of 'debug', 'info', 'error', or any integer value > 0 which corresponds to custom debug levels of increasing verbosity
-zap-stacktrace-level value
Zap Level at and above which stacktraces are captured (one of 'info', 'error', 'panic').