GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → doitintl → secrets-init

doitintl / secrets-init

Licence: Apache-2.0 License
minimalistic init system for containers with AWS/GCP secrets support

Programming Languages

go
31211 projects - #10 most used programming language
Makefile
30231 projects
Dockerfile
14818 projects

Labels

dockerawsgcpgoogle-cloudsecretsinitpid1aws-ssmiam-roleaws-parameter-storeaws-secrets-managersecretsmanagergcp-secret-managergoogle-secret

Projects that are alternatives of or similar to secrets-init

kube-secrets-init
Kubernetes mutating webhook for `secrets-init` injection
Stars: ✭ 106 (-7.02%)
Mutual labels:  gcp, google-cloud, iam-role, aws-parameter-store, aws-secrets-manager, google-secret
Cloud-Service-Providers-Free-Tier-Overview
Comparing the free tier offers of the major cloud providers like AWS, Azure, GCP, Oracle etc.
Stars: ✭ 226 (+98.25%)
Mutual labels:  gcp, google-cloud
zorya
Google Cloud Instance Scheduler helping to reduce costs by 60% on average for non-production environments.
Stars: ✭ 127 (+11.4%)
Mutual labels:  gcp, google-cloud
gtoken
Securely access AWS services from GKE cluster
Stars: ✭ 43 (-62.28%)
Mutual labels:  gcp, google-cloud
GoogleCloudLogging
Swift (Darwin) library for logging application events in Google Cloud.
Stars: ✭ 24 (-78.95%)
Mutual labels:  gcp, google-cloud
datacatalog-tag-manager
Python package to manage Google Cloud Data Catalog tags, loading metadata from external sources -- currently supports the CSV file format
Stars: ✭ 17 (-85.09%)
Mutual labels:  gcp, google-cloud
iris3
An upgraded and improved version of the Iris automatic GCP-labeling project
Stars: ✭ 38 (-66.67%)
Mutual labels:  gcp, google-cloud
Google-Cloud-Study-Jams
Resources for 30 Days of Google Cloud program workshops and events conducted by GDSC VJTI
Stars: ✭ 13 (-88.6%)
Mutual labels:  gcp, google-cloud
30Days-of-GCP
Resources for the 30 Days of GCP program
Stars: ✭ 26 (-77.19%)
Mutual labels:  gcp, google-cloud
gcp-get-secret
A simple command line utility to get secrets from the Google Secret Manager into your environment
Stars: ✭ 35 (-69.3%)
Mutual labels:  gcp, secrets
deploy-cloudrun
This action deploys your container image to Cloud Run.
Stars: ✭ 238 (+108.77%)
Mutual labels:  gcp, google-cloud
argocd-vault-plugin
An Argo CD plugin to retrieve secrets from Secret Management tools and inject them into Kubernetes secrets
Stars: ✭ 404 (+254.39%)
Mutual labels:  aws-secrets-manager, gcp-secret-manager
awesome-bigquery-views
Useful SQL queries for Blockchain ETL datasets in BigQuery.
Stars: ✭ 325 (+185.09%)
Mutual labels:  gcp, google-cloud
construct
A reactive graphical symbolic environment for PicoLisp
Stars: ✭ 29 (-74.56%)
Mutual labels:  init, pid1
secret config
Centralized Configuration and Secrets Management for Ruby and Rails applications.
Stars: ✭ 15 (-86.84%)
Mutual labels:  secrets, aws-ssm
grucloud
Generate diagrams and code from cloud infrastructures: AWS, Azure,GCP, Kubernetes
Stars: ✭ 76 (-33.33%)
Mutual labels:  gcp, google-cloud
deploy-appengine
A GitHub Action that deploys source code to Google App Engine.
Stars: ✭ 184 (+61.4%)
Mutual labels:  gcp, google-cloud
augle
Auth + Google = Augle
Stars: ✭ 22 (-80.7%)
Mutual labels:  gcp, google-cloud
argon
Campaign Manager 360 and Display & Video 360 Reports to BigQuery connector
Stars: ✭ 31 (-72.81%)
Mutual labels:  gcp, google-cloud
SecretsManagerwithCloudFormation
Implements a Lambda-backed CloudFormation Custom Resource for AWS Secrets Manager
Stars: ✭ 20 (-82.46%)
Mutual labels:  secrets, secretsmanager
View All Similar Projects ➔

test Go Report Card GitHub release (latest SemVer)

Blog Post

Kubernetes and Secrets Management in the Cloud

secrets-init

secrets-init is a minimalistic init system designed to run as PID 1 inside container environments, similar to dumb-init, integrated with multiple secrets manager services:

Why you need an init system

Please read Yelp dumb-init repo explanation

Summary:

  • Proper signal forwarding
  • Orphaned zombies reaping

What secrets-init does

secrets-init runs as PID 1, acting like a simple init system. It launches a single process and then proxies all received signals to a session rooted at that child process.

secrets-init also passes almost all environment variables without modification, replacing secret variables with values from secret management services.

Integration with AWS Secrets Manager

User can put AWS secret ARN as environment variable value. The secrets-init will resolve any environment value, using specified ARN, to referenced secret value.

If the secret is saved as a Key/Value pair, all the keys are applied to as environment variables and passed. The environment variable passed is ignored unless it is inside the key/value pair.

# environment variable passed to `secrets-init`
MY_DB_PASSWORD=arn:aws:secretsmanager:$AWS_REGION:$AWS_ACCOUNT_ID:secret:mydbpassword-cdma3

# environment variable passed to child process, resolved by `secrets-init`
MY_DB_PASSWORD=very-secret-password

Integration with AWS Systems Manager Parameter Store

It is possible to use AWS Systems Manager Parameter Store to store application parameters and secrets.

User can put AWS Parameter Store ARN as environment variable value. The secrets-init will resolve any environment value, using specified ARN, to referenced parameter value.

# environment variable passed to `secrets-init`
MY_API_KEY=arn:aws:ssm:$AWS_REGION:$AWS_ACCOUNT_ID:parameter/api/key
# OR versioned parameter
MY_API_KEY=arn:aws:ssm:$AWS_REGION:$AWS_ACCOUNT_ID:parameter/api/key:$VERSION

# environment variable passed to child process, resolved by `secrets-init`
MY_API_KEY=key-123456789

Integration with Google Secret Manager

User can put Google secret name (prefixed with gcp:secretmanager:) as environment variable value. The secrets-init will resolve any environment value, using specified name, to referenced secret value.

# environment variable passed to `secrets-init`
MY_DB_PASSWORD=gcp:secretmanager:projects/$PROJECT_ID/secrets/mydbpassword
# OR versioned secret (with version or 'latest')
MY_DB_PASSWORD=gcp:secretmanager:projects/$PROJECT_ID/secrets/mydbpassword/versions/2

# environment variable passed to child process, resolved by `secrets-init`
MY_DB_PASSWORD=very-secret-password

Requirement

Container

If you are building a Docker container, make sure to include the ca-certificates package, or use already prepared doitintl/secrets-init Docker container (linux/amd64, linux/arm64).

AWS

In order to resolve AWS secrets from AWS Secrets Manager and Parameter Store, secrets-init should run under IAM role that has permission to access desired secrets.

This can be achieved by assigning IAM Role to Kubernetes Pod or ECS Task. It's possible to assign IAM Role to EC2 instance, where container is running, but this option is less secure.

Google Cloud

In order to resolve Google secrets from Google Secret Manager, secrets-init should run under IAM role that has permission to access desired secrets.

This can be achieved by assigning IAM Role to Kubernetes Pod with Workload Identity. It's possible to assign IAM Role to GCE instance, where container is running, but this option is less secure.

Kubernetes secrets-init admission webhook

The kube-secrets-init implements Kubernetes admission webhook that injects secrets-init initContainer into any Pod that references cloud secrets (AWS Secrets Manager, AWS SSM Parameter Store and Google Secrets Manager) implicitly or explicitly.

Code Reference

Initial init system code was copied from go-init project.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].