A kubernetes operator that syncs and decrypts secrets from pass git repositories
Project description
pass secrets operator
A Kubernetes operator to sync and decrypt secrets from a password store (pass) Git repository. This operator is proposed as a proof-of-concept and shouldn't be used in any production capacity.
While this approach to secrets management on Kubernetes is more technically challenging, the advantage is that we don't have to rely on a 3rd party SaaS platform, such as Vault or Doppler, to hold our secrets (the obvious benefits these platforms do provide, however, are better user and access management). We may also use this operator in an airgapped environment with a self-hosted git repository.
How it works
The following flowchart outlines how this operator reacts to PassSecret-related events and pass store updates.
From a high level, this operator runs git pull on an interval to grab updates from a git repository populated with encrypted
secrets by pass. It maps secrets' paths to data values through the application of a PassSecret, a custom resource, such as the following.
apiVersion: secrets.premiscale.com/v1alpha1
kind: PassSecret
metadata:
name: mysecret
namespace: pass-operator-test
spec:
encryptedData:
mykey: premiscale/mydata
managedSecret:
metadata:
name: mysecret
namespace: pass-operator-test
type: Opaque
immutable: false
The above PassSecret manifest translates to the following Secret.
apiVersion: v1
kind: Secret
metadata:
name: mysecret
namespace: pass-operator-test
stringData:
mykey: <decrypted contents of premiscale/mydata>
immutable: false
type: Opaque
Installation
See the chart README for an overview of operator installation and configuration options.
Development
Unit tests
Run unit tests with
yarn test:unit
End-to-end tests
Run e2e tests against a live (local) environment with
yarn test:e2e
This command will
- Stand up a local 1-node minikube cluster with 4 cores, 4GiB memory and 30GiB storage. (Modify ./scripts/minikube.sh if these resources are unsuitable for your local development environment.)
- Create a
localhostdocker registry redirect container. - Build both e2e (hosts a git repository with encrypted pass secrets that match paths found in ./src/test/data/crd) and operator container images, as well as push these images to the local redirect for minikube to access.
- Installs both e2e and pass-operator Helm charts.
- Run e2e tests.
- Tear down the cluster and local registry, as well as cleans up locally-built artifacts.
Coverage
Test coverage against the codebase with
poetry run coverage run -m pytest
poetry run coverage report -m pytest
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file pass_operator-0.4.1.tar.gz.
File metadata
- Download URL: pass_operator-0.4.1.tar.gz
- Upload date:
- Size: 23.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.0 CPython/3.10.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | f191a6dad196982cc149800c675ccadf8ec1bf69ee918b5245351fd412c0196b |
|
| MD5 | da693cbc19ea86d0d8d7c00d321158c6 |
|
| BLAKE2b-256 | fb9ba3d800802cd35e2a1529bb17f33e4cd3a04e2f03f4f11b636fd408fc562a |
File details
Details for the file pass_operator-0.4.1-py3-none-any.whl.
File metadata
- Download URL: pass_operator-0.4.1-py3-none-any.whl
- Upload date:
- Size: 37.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.0 CPython/3.10.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 335861c633c48abedbc6221a74beeab575d79c694a293f44a190d7cf6990beeb |
|
| MD5 | 0cdf1f71934e5a5f4fa35525da003488 |
|
| BLAKE2b-256 | 25df57d1245c7128e1ede29143215fad25f274360260a33ce1c9c943c19dee7b |
