Kubernetes Integration
Closed this issue · 0 comments
9876691 commented
What will this give
- Secrets end to end encrypted all the way to the cluster
- Secrets updated in cloak are refreshed in the cluster
- Secrets refreshed in cluster trigger deployments.
Possibilities
- https://github.com/kubernetes-sigs/secrets-store-csi-driver
- https://external-secrets.io
- Mutating Admission Webhook
- Run a job that downloads secrets and runs kubectl? https://stackoverflow.com/questions/54904069/how-to-schedule-a-cronjob-which-executes-a-kubectl-command
Look at
- Secret hub pushes their CLI into the image and calls it. https://github.com/secrethub/secrethub-kubernetes-mutating-webhook
- Inject secrets into pod on startup. https://github.com/doitintl/kube-secrets-init
- Possibility of a restart if secret chnages
- Reloader - Restarts pods etc if a secret chnages - https://github.com/stakater/Reloader
- Sealed secrets - Encrypted before they hit K8's - https://github.com/bitnami-labs/sealed-secrets
- Create sealed secrets with external secrets operator?
- Certifcates for webhooks https://medium.com/trendyol-tech/5-ways-of-managing-tls-certificates-for-your-kubernetes-admission-webhooks-b2ca971c065
Cron Job PoC
tmpfile=$(mktemp /tmp/env.XXXXX)
cloak env > $tmpfile
kubectl create secret generic credentials --dry-run=client -o yaml --from-env-file $tmpfile
rm $tmpfile
- Call CLI and dump to .env
- Load via kubectl if it is different.
ESO and Sealed Secrets PoC
- Install sealed secrets
- Create a sealed secret - Raw mode (experimental)
- Install ESO
- Can ESO generate a sealad secret?
ESO and Mutating Webhook
- Add a webhook to cloak compatible with ESO
- ESO genertaes a Secret ith meta data
- Write a mutaintg web hook that decrypts the secrets i.e. https://github.com/christianhxc/smartkey-kubernetes-webhook