- π Iβm currently working on kubeseal-webgui
jaydee94 / kubeseal-webgui Goto Github PK
View Code? Open in Web Editor NEWThis is a simple web ui for Bitnami Sealed Secrets.
License: Apache License 2.0
This is a simple web ui for Bitnami Sealed Secrets.
License: Apache License 2.0
Hi,
An idea to improve it would be to add a string generator in the value fields:
For example :
Describe the bug
The Copy Button does not work with Firefox.
It should be possible to copy sealed secrets with Firefox as well.
I am trying to install helm chart for kubeseal-webgui
on k8s cluster provided in docker desktop.
followed steps mentioned in readme
. Below is my values.yaml
file.
I do have one doubt regarding api.url
is this default value okay ? Do we need to expose this endpoint ourself or is it taken care by helm chart ?
replicaCount: 1
annotations: {}
api:
# The value of api.url should be set to the public-accessible http endpoint (ingress url or OpenShift route).
# api.url will be generated into config.json ConfigMap of the UI. This statically served JSON file
# is used by the UI to locate the API.
url: http://localhost:8080
image:
repository: kubesealwebgui/api
tag: 3.1.0
environment: {}
ui:
image:
repository: kubesealwebgui/ui
tag: 3.1.0
image:
pullPolicy: Always
nameOverride: ""
fullnameOverride: ""
# Optionally setup a display name for your kubeseal-webgui instance.
displayName: ""
# Set this value to false if you already have a default serviceaccount who is allowed to list namespaces.
serviceaccount:
create: false
# Setup resources for the pod
resources:
limits:
cpu: 100m
memory: 256Mi
requests:
cpu: 20m
memory: 256Mi
# Optionally use a OpenShift-Route
# If 'hostname' is an empty string (""), OpenShift will create a hostname for you.
route:
enabled: false
hostname: ""
tls:
termination: edge
insecureEdgeTerminationPolicy: None
sealedSecrets:
autoFetchCert: false
controllerName: sealed-secrets-controller
controllerNamespace: kube-system
## Public Certificate of your Sealed-Secrets Controller.
## Login to your cluster with kubectl.
## Run kubeseal --fetch-cert --controller-name <your-sealed-secrets-controller> --controller-namespace <sealed-secrets-controller-namespace>
## Paste Cert as multiline YAML
cert: |
-----BEGIN CERTIFICATE-----
MIIEzDCCArSgAwIBAgIQTu139c2EK+zC/rwU4DxhYzANBgkqhkiG9w0BAQsFADAA
............................................
...........................................
-----END CERTIFICATE-----
Getting below error on UI and not able to list any namespace , I have also fetched the cert.pem from kubeseal-controller and provided same in values file as mentioned in the project. I have no clue what is wrong in here.
Having some form of plugable authentication for this webapp would be nice.
I've had a lot of success using https://github.com/oauth2-proxy/oauth2-proxy for this purpose.
Describe the bug
When sealing secrets with multiline content or special characters like "Àüâ" the app shows an error.
Add newer version of the kubseal binary in the Dockerfile of the api.
Describe the bug
Add the ability to template arbitrary data keys included in sealed secret 0.16 in the webinterface/api
See bitnami-labs/sealed-secrets#445 regarding the syntax. ( .spec.data )
Expected behavior
Additional toggle or different fields for unsealed secrets, plain b64 encoded. Also some API ability would be nice.
It should be possible to dynamically add keys to encrypt into the Form.
The Bootstrap Form should be dynamic and have a Add key Button.
All encrypted keys should be generated into the output HTML Page as single encrypted value but also into a complete kubernetes object.
The Helm chart should Provide an optional ingress object besides the Openshift Route.
Fixes #138
Show the name of the kubernetes cluster where the app is running.
Show a image as site header instead of
The Application should get a metrics endpoint with the following metrics:
https://dev.to/camptocamp-ops/implement-prometheus-metrics-in-a-flask-application-p18
The Helm Chart should get a optional value for automatically generating a ServiceMonitor for collecting the metrics with a kubernetes internal prometheus.
Add language support for english.
There should be a little tooltip after clicking the copy button for about 2-3 seconds.
Add support for encrypting binary data in sealed secret objects.
Maybe an optional upload button for providing the content of a file like e.g. a java keystore that should be encrypted.
Hi,
First off I think this project is really cool. I was thinking of building custom tooling on top of kubeseal
until I found this app π .
I don't think it's a great idea to run the Flask development server in production environments, see https://github.com/Jaydee94/kubeseal-webgui/blob/master/Dockerfile.api#L24 .
Some alternatives:
I could handle this task myself if you're interested.
Hello,
First off, awesome project!
I've deployed it succesfully on our OpenShift testenvironment (v4.9)
But when i'm trying the namespace dropdown i'm getting the following message:
Error while encoding sensitive data. Please contact your administrator and try again later.
Error message:
TypeError: Failed to fetch
serviceaccount.create
is set to true
.
i've checked if the (namespace list) clusterrole & clusterrolebinding is active on the cluster
and the service account is attached to the pod(s)
Do you have any pointers on how to troubleshoot this? I'm not seeing pointers in pod logs or namespace events...
Describe the bug
Ingress class provided by this chart only support set behavior by annotation.
So, to select ingress class, need specify an annotation kubernetes.io/ingress.class
But Kubernetes has deprecated this annotation
cf. https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#deprecating-the-ingress-class-annotation
This annotation is replaced by spec ingressClassName
cf . https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress
Expected behavior
spec.ingressClassName
in template ingress.yaml
ingress.class
in values.yaml
to set this new specDescribe the bug
Currently every file from the repo gets copied when COPY
is used. We can and should ignore quiet a few of them like __pycache__
dirs.
To Reproduce
Steps to reproduce the behavior:
__pycache__
directoriesExpected behavior
Those development files should not be part of the container image
Describe the bug
When building the API container, we get a warning about not using a virtual env together with the root account:
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
To Reproduce
Steps to reproduce the behavior:
docker build -t api:latest -f Dockerfile.api .
Expected behavior
No such warning should appear while building the container
Add Support for a dropdown field instead of typing the name space name. The app should determine all namespaces from the current kubernetes cluster and provide them as a dropdown field.
The UI should show a collapsable section with some additional infos about the application like:
kubeseal
binary to encrypt secretsCurrently the trash bin icon is displayed even if there is only one key-value pair to encrypt. The list of key-value pairs should at least contain one item. So the trash bin icon should only be displayed from the second element and so on...
Provide a optional configuration for an e-mail adress as contact for troubles with kubeseal-webgui.
An optional configuration option to exclude namespaces from list of displayed namespaces in the ui.
Describe the bug
the fetch script moved with the new docker image to ${APP_HOME}/kubeseal-webgui/bin/kubeseal-fetch.sh
the helm chart is referencing the script at /kubeseal-webgui/bin/kubeseal-fetch.sh which doesn't exist anymore
To Reproduce
Deploy the helm chart 4.0.0 with sealedSecrets.autoFetchCert: true
Expected behavior
Should reference the correct script
Logs
Error: failed to start container "fetch-cert": Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "exec: "/kubeseal-webgui/bin/kubeseal-fetch.sh": stat /kubeseal-webgui/bin/kubeseal-fetch.sh: no such file or directory": unknown
Create random flask secret key on startup
All python functions should have type hints.
Replace Flask with Fastapi
In addition to the sealed key output there should be a complete yaml output for the complete sealed-secret to copy.
Hi,
This tool is great, thank you !!
An idea to improve it would be to permit configure scope and allow the generation of secret cluster-wide and namespace-wide.
Add github action for automatic docker image deployment to dockerhub
Secret names must be lowercase and only contain alphanumeric characters and dashes. See kubernetes conventions for api objects.
See RFC-1123
Add support for multiline cleartext secrets or submitting complete files.
After we migrated to fastapi, we can get rid of the mock. The dummy return values when not using kubernetes can be returned by the origin api by using a specific toggle (MOCK_ENABLED).
So we don`t have to maintain multiple code bases.
there is no workload with the label pp, so the service is pointing into the void.
Add better effects on the copy button.
(Javascript and CSS magic.)
Optional dark Mode for the webgui.
Just for fun
It should be possible to encrypt multiple sealed secret objects at once. Currently you have to create them successively.
Use pyproject.toml to setup the api instead of using setup.py
I have deployed kubeseal-webgui with helm chart with autofetch to true in the values.yaml.
But I got this error.
Warning Failed 16s (x3 over 36s) kubelet Error: failed to create containerd task: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "/kubeseal-webgui/bin/kubeseal-fetch.sh": permission denied: unknown
When a secret is rendered we currently only display a complete SealedSecrets YAML object.
Sometimes you just need the value of a specific key.
We could display all rendered key-value pairs inside a collapsable if a single value is needed. There we can also display a little copy button for comfortable usage π
Currently it is required to manually configure the public certificate to seal secrets. It should be possible to optionally retrieve the public cert of the sealed secrets controller by providing the namespace and the controller name.
Thanks you for the tools.
Great job !!
Could we improve it by adding annotation handler ?
In fact Sealed Secret encrypt data but also annotations. So adding annotation on SealedSecret object will not add it when unseal it.
We have to add first annotation on the Secret ressource and only then we can seal it in order to take annotation in count.
Can we improve the GUI for letting us add some annotations like :
sealedsecrets.bitnami.com/managed
sealedsecrets.bitnami.com/namespace-wide
sealedsecrets.bitnami.com/cluster-wide
Add a little popup/tooltip that explains a detailed Usage of kubeseal webgui. It should be more detailed than the labels of the Form Inputs.
Could be solved with: https://popper.js.org/
The hover effect on the page should be modified.
The Sealed-Secret shouldnt expand on the next line when u hover the html element.
users request the namespaces from the kubeseal-webui api,
which in return accesses the kubernetes api using a service
account.
given that the role associated with the service account has
not restrictions on which namespace it can see, all available
namespaces are returned. therefor a user can see all namespaces
even when they themself have no access to it.
kubernetes support impersonating users when performing
requests against its API, which would allow the kubeseal-webui
API to limit its namespace result to the namespaces relevant
to the current user.
currently kubeseal-webui has no concept of users and/or groups.
this information however can be passed on e.g. via headers.
add support for reading user information from request headers,
and use it to dispatch impersonated kubernetes api requests.
we have deployed kubeseal-webui behind a reverse proxy which
performs user authentication and can forward the authentication
information via headers (e.g. X-Forwarded-User
).
given that the impersonation support in the python library
is limited, i would suggest to limit impersonation to
users for now (as opposed to users and groups)
this feature must be explicitly enabled by admins in environments
where the authentication information can be trusted, otherwise
users can make requests with rogue authentication headers:
the role resource must also be adjusted, to include the
impersonation permission (must also be explicitly enabled)
- apiGroups: [""]
resources: ["users"]
verbs: ["impersonate"]
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.