Skip to content
This repository has been archived by the owner on Jan 19, 2023. It is now read-only.

Latest commit

 

History

History
63 lines (52 loc) · 2.96 KB

README.md

File metadata and controls

63 lines (52 loc) · 2.96 KB
Raw

kubernetes-secret-sealer

Python application

Simple tool, that fetches a secret from AWS Secret Manager and pipes it into a kubernetes sealed secret

prerequesites

for kubernetes-secret-sealer to work as intended, several prerequesites have to be fulfilled:

installation

pipx install .      # will install to `$HOME/.local/bin/kubernetes-secret-sealer`. set PATH

# legacy: pipsi is no longer maintained. See pipx for an actively maintained alternative
pipsi install .
pipsi install --python /opt/local/bin/python3.7 .     # on macos

usage

kubernetes-secret-sealer --help     # show help message and exit

# get secret from aws-secretsmanager and generate sealed-secret.yml
kubernetes-secret-sealer \
	-p $AWS_PROFILE \
	-n $AWS_SECRETS_NAME \
	-kns $KUBERNETES_NAMESPACE \
	--cert ./path/to/sealed-secret-cert.pem \
	-o yaml \
	-f ./path/to/sealed-secret.yaml \
	-b accountJsonAsString \
	-tt Opaque

handling of secrets and workflow

secrets are only stored in the AWS Secretsmanager. This tools writes no unencrypted secrets to the filesystem. So the workflow for using this tool is, to

  • migrate your secrets into AWS Secretsmanager. It is advised, to use the names and semantics the Secret will use in the kubernetes services later.
  • create a sealed secret yaml via:
kubernetes-secret-sealer \
	-p $AWS_PROFILE \
	-n supersecret \
	-kns $KUBERNETES_NAMESPACE \
	--cert ./dev-cluster.pem \
	-o yaml \
	-f supersecret_sealedsecret.yaml
  • then apply the secret via kubectl apply -f supersecret_sealedsecret.yaml

problemshooting

After updating python via homebrew, the virtual environments created with pipx might be broken, because the symlink in the venv points to the full path for python3 are changed by Homebrew with each patch. This can be fixed via:

pipx reinstall-all