README
¶
Crypt Controller 
Goal
The goal of this controller is to help automatically provision namespaces with secrets, and to keep those secrets up to date, using a key-value store as a central repository of data.
This is done using a Custom Resource Definition called a Crypt, which defines a list of target namespaces and a list of secrets sources. The controller takes care of fetching the secret data from the source and making sure all the secrets are present and up to date.
Installing crypt-controller using Helm
$ helm install ./chart --set {{custom values}}
The values.yaml file in the chart folder requires some configuration in order to run correctly - most notably the store configuration section:
storeType: invalid
store:
consul:
enabled: false
env: {}
vault:
enabled: false
env: {}
The storeType must be set to a valid storeType (either consul or vault), the corresponding node in the store section must be set to enabled: true and all required environment variables must be set in its env section.
Data Model
The values stored in the key-values store are expected to be key value maps of type string -> []byte (ie: a simple json with string keys and base64-encoded values.)
Usage
Once the controller is running on your cluster, you can create crypt resources as you would create any other resource. An example crypt resource definition:
apiVersion: core.bluehoodie.io/v1alpha1
kind: Crypt
metadata:
name: test-crypt
namespace: default
spec:
secrets:
- name: foo
key: crypt/dev/foo
- name: bar
key: crypt/dev/bar
namespaces:
- dev-*
This crypt will automatically pull data from keys crypt/dev/foo and crypt/dev/bar and create secrets with names foo and bar, respectively, in all namespaces matching the pattern dev-*.
Expected behaviour:
- If the secrets managed by a crypt are deleted, then the controller will re-create them.
- If new namespaces appear, then crypts will be checked to see if any secrets need to be created in this namespace.
- If the data in the store changes, then the data in the secrets will be updated (after a small resync period delay).
- If the crypt resource is deleted, all of its associated secrets are also deleted.
Contributing
Issues and pull requests welcome.
Documentation
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
pkg
|
|
|
apis/crypt/v1alpha1
Package v1alpha1 is the v1alpha1 version of the API.
|
Package v1alpha1 is the v1alpha1 version of the API. |
|
client/clientset/versioned
This package has the automatically generated clientset.
|
This package has the automatically generated clientset. |
|
client/clientset/versioned/fake
This package has the automatically generated fake clientset.
|
This package has the automatically generated fake clientset. |
|
client/clientset/versioned/scheme
This package contains the scheme of the automatically generated clientset.
|
This package contains the scheme of the automatically generated clientset. |
|
client/clientset/versioned/typed/crypt/v1alpha1
This package has the automatically generated typed clients.
|
This package has the automatically generated typed clients. |
|
client/clientset/versioned/typed/crypt/v1alpha1/fake
Package fake has the automatically generated clients.
|
Package fake has the automatically generated clients. |