Sync Azure Key Vault Secrets to Kubernetes Secrets
Project description
kv-to-kube
Syncs Azure Key Vault Secrets with a kube_secret_name label to Kubernetes Secrets.
Installation
Via Kustomize/Flux for Kubernetes
Installation via Kustomize/Flux 2.0 is the recommended installation approach for kv-to-kube, note this requires Azure Workload Identity to be setup and working along with the respective OIDC Federated Credentials.
Create a kustomize.yaml file with the following content, being sure to replace keyvault-name, excluded-namespaces, and azure.workload.identity/client-id with your desired values:
resources:
- github.com/cpressland/kv-to-kube/deploy
patches:
- target:
kind: CronJob
patch: |
- op: replace
path: /spec/jobTemplate/spec/template/spec/containers/0/command
value:
- kv-to-kube
- --keyvault-name=my-keyvault
- --excluded-namespaces=kube-system
- target:
kind: ServiceAccount
patch: |
- op: replace
path: /metadata/annotations/azure.workload.identity~1client-id
value: 5d4017fa-3f60-4fcb-a15c-2ffbd8081807
Apply this to your cluster with kubectl apply -k . or using Flux 2.0.
Via Pipx
Pipx is the recommended installation method for running locally, outside of Kubernetes, note this requires azure-cli to be installed and working.
pipx install kv-to-kube
Usage
Once the application is installed either locally or in your cluster, simply create or update secrets within your Key Vault to match the following spec:
{
"postgres_user": "lunalux",
"postgres_pass": "asmr",
"postgres_host": "katherina.postgres.database.azure.com"
}
with a tag of: {"kube_secret_name": "azure-postgres"}
This will create a Kubernetes Secret in all namespaces, as follows:
{
"apiVersion": "v1",
"kind": "Secret",
"metadata": {
"name": "azure-postgres",
"namespace": "default",
},
"data": {
"postgres_host": "a2F0aGVyaW5hLnBvc3RncmVzLmRhdGFiYXNlLmF6dXJlLmNvbQ==",
"postgres_pass": "YXNtcg==",
"postgres_user": "bHVuYWx1eA=="
},
"type": "Opaque"
}
FAQs
Q: What would I use this for?
A: I use it with Terraform. During the creation of something like a Postgres Server we store the connection details in Azure Key Vault, AKS then uses kv-to-kube to syncronise those secrets so they can be used in a Pods environment variables.
Q: Why does this delete and re-create secrets instead of updating them?
A: I couldn't find an elegant way to perform this operation with the kr8s library. I've opened an issue here, should that get a satifactory resolution I'll change this to update and provide an annotation on the secret for the last updated time. Because of this, I wouldn't recommend using this for secrets that require mounting as a volume. But if thats your use case, you should probably be using a Secrets Store CSI Driver
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file kv_to_kube-1.0.3.tar.gz.
File metadata
- Download URL: kv_to_kube-1.0.3.tar.gz
- Upload date:
- Size: 4.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.7.1 CPython/3.11.7 Linux/6.2.0-1018-azure
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 18a2defaf96ff4fe23822dc57c6e7fca56693e0ac03fb236111fb377026098c1 |
|
| MD5 | 8b758d2690f72630f9dc70cc069699ef |
|
| BLAKE2b-256 | 19aafed990c34392b55d08016455bd8618c76dea2c777a668ae4a0d776315b55 |
File details
Details for the file kv_to_kube-1.0.3-py3-none-any.whl.
File metadata
- Download URL: kv_to_kube-1.0.3-py3-none-any.whl
- Upload date:
- Size: 4.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.7.1 CPython/3.11.7 Linux/6.2.0-1018-azure
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | a8e2e10b35b7040386c21e7006c75844f8b710a06ef1a701c74a8bd0d0e37e80 |
|
| MD5 | 665cb421726aa994743308b9f9f4a760 |
|
| BLAKE2b-256 | 9f2de3434281ee3ae7c122e50f296b69cc195d93ce3b2f632aec32ace852eae0 |
