Git Product home page Git Product logo

isabella232 / ack-secret-manager Goto Github PK

View Code? Open in Web Editor NEW

This project forked from aliyuncontainerservice/ack-secret-manager

0.0 0.0 0.0 7.65 MB

ACK Secret Manager allows you to use external secret management systems (*e.g.*, Alibaba Cloud Secrets Manager) to securely add secrets in Kubernetes.

License: Apache License 2.0

Shell 2.53% Go 88.71% Makefile 5.40% Dockerfile 1.06% Mustache 2.29%

ack-secret-manager's Introduction

ACK Secret Manager

English | 简体中文

ACK Secret Manager allows you to use external secret management systems (e.g., Alibaba Cloud Secrets Manager to securely add secrets in Kubernetes.

ACK Secret Manager provide the same use experience as kubernetes-external-secrets which provide the same ease of use as native Secret objects and provide access to secrets stored externally. In ACK Secret Manager,it also adding an ExternalSecret object to the Kubernetes API that allows developers to inject the external secret from Alibaba Cloud Secrets Manager into a Pod using a declarative API similar to the native Secret one.

Installing the Chart

1. You are the authorized user of Alibaba Cloud Secrets Manager

2. Grant ack-secret-manager the permission of get credentials in KMS secret manager, here are two ways:

a. Attach KMS RAM policy on target worker role

  • access the target cluster's detail page in Container Service console
  • click the target ram role named KubernetesWorkerRole-xxxxxxxxxxxxxxx and access into RAM Roles page
  • add kms RAM policy below into the policy bind to the worker role. 
         {
        "Action": [
            "kms:GetSecretValue"
        ],
        "Resource": [
            "*"
        ],
        "Effect": "Allow"
    }

b. For ACK/ASK 1.22 clusters, fine-grained ram role for service account could be implemented via RRSA method (Note: This method only supports 1.22 version of ACK Standard and Pro clusters)

  • Enable RRSA function
  • Use RRSA function : including creating the corresponding RAM role for the specified serviceaccount, the trust policy for the role, and binding the permission to the role.

3. Log on to the Container Service console.

  • In the left-side navigation page, choose Marketplace > App Catalog. Select the ack-secret-manager application, click it and access into application page, then modify the chart configuration values in Parameters tab, please find parameters description below
  • Select the target cluster and click Create button to add the component.
  • Input the customized parameters in the parameter configuration page, including rrsa.enable in values.yaml and ALICLOUD_ROLE_ARN and ALICLOUD_OIDC_PROVIDER_ARN parameters, see the configuration notes below for parameter descriptions.
  • Click the OK button to complete the installation.

Uninstalling the Chart

  1. Log on to the Container Service console .
  2. In the left-side navigation pane, choose Applications > Publish and click the Releases tab. On the ** Releases** tab page, locate the row that named ack-secret-manager, and click Delete.

Configuration

The following table lists the configurable parameters of the ack-secret-manager chart and their default values.

Parameter Description Default
env.WATCH_NAMESPACE Set the namespaces operator watch(empty value means all-namespaces)
envVarsFromSecret.ACCESS_KEY_ID Set the ACCESS_KEY_ID variable to specify the credential RAM AK for building SDK client, which needs to be defined in the secret named alibaba-credentials
envVarsFromSecret.SECRET_ACCESS_KEY Set the SECRET_ACCESS_KEY variable to specify the credential RAM SK for building SDK client, which needs to be defined in the secret named alibaba-credentials
envVarsFromSecret.ALICLOUD_ROLE_ARN Set the ALICLOUD_ROLE_ARN variable to specify the RAM role ARN for building SDK client, which needs to be defined in the secret named alibaba-credentials
envVarsFromSecret.ALICLOUD_ROLE_SESSION_NAME Set the ALICLOUD_ROLE_SESSION_NAME variable to specify the RAM role session name for building SDK client, which needs to be defined in the secret named alibaba-credentials
envVarsFromSecret.ALICLOUD_ROLE_SESSION_EXPIRATION Set the ALICLOUD_ROLE_SESSION_NAME variable to specify the RAM role session expiration for building SDK client, which needs to be defined in the secret named alibaba-credentials
envVarsFromSecret. ALICLOUD_OIDC_PROVIDER_ARN Set the ALICLOUD_OIDC_PROVIDER_ARN variable to specify the RAM OIDC provider arn for building SDK client, which needs to be defined in the secret named alibaba-credentials
envVarsFromSecret.ALICLOUD_OIDC_TOKEN_FILE Set the ALICLOUD_OIDC_TOKEN_FILE variable to specify the serviceaccount OIDC token file path for building SDK client, which needs to be defined in the secret named alibaba-credentials
rrsa.enable Enable RRSA feature, default is false,when enalbe, you need to configure the parametes of ALICLOUD_ROLE_ARN and ALICLOUD_OIDC_PROVIDER_ARN in envVarsFromSecret false
command.backend Set the secret management backend, only alicloud-kms supported alicloud-kms
command.reconcilePeriod How often the controller will re-queue externalsecret events 5s
command.reconcileCount Specify the max concurrency reconcile work at the same time 1
command.tokenRotationPeriod Polling interval to check kms client sts token expiration time. 120s
command.region The region id where you want to pull the secret from
command.enableLeaderElection Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager. true
command.leaderElectionNamespace Namespace used to perform leader election. Only used if leader election is enabled. kube-system
command.disablePolling Disable auto polling external secret from kms. false
command.pollingInterval How often the controller will sync existing secret from kms. 120s
image.repository ack-secret-manager Image name acs/ack-secret-manager
image.tag ack-secret-manager Image tag v0.3.0
image.pullPolicy Image pull policy Always
nameOverride Override the name of app nil
fullnameOverride Override the full name of app nil
rbac.create Create & use RBAC resources true
securityContext.fsGroup Security context for the container {}
serviceAccount.create Whether a new service account name should be created. true
serviceAccount.name Service account to be used. automatically generated
serviceAccount.annotations Annotations to be added to service account nil
podAnnotations Annotations to be added to pods {}
podLabels Additional labels to be added to pods {}
replicaCount Number of replicas 1
nodeSelector node labels for pod assignment {}
tolerations List of node taints to tolerate (requires Kubernetes >= 1.6) []
affinity Affinity for pod assignment {}
resources Pod resource requests & limits {}

Tip: You can find the ack-secret-manager release in ACK edit the param at the Parameters tab in or use the default values.yaml

Add a secret

Add your secret data to your Secret Manager

aliyun kms CreateSecret --SecretName test --SecretData 1234 --VersionId v1

and then create a hello-service-external-secret.yml file:

apiVersion: 'alibabacloud.com/v1alpha1'
kind: ExternalSecret
metadata:
  name: hello-service
spec:
  data:
    - key: test
      name: password
      versionStage: ACSCurrent

Save the file and run:

kubectl apply -f hello-service-external-secret.yml

Wait a few minutes and verify that the associated Secret has been created:

kubectl get secret hello-service -oyaml

The Secret created by the controller should look like:

apiVersion: v1
kind: Secret
metadata:
  name: hello-service
type: Opaque
data:
  password: MTIzNA==

If the flag disablePolling is not set to true, the controller would auto polling the secret from KMS backend with the interval set in pollingInterval

ack-secret-manager's People

Contributors

dahuk avatar greatbody avatar anhnguyenkim-agilityio avatar haoshuwei avatar yingzhi-aliyun avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.