GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → kapicorp → tesoro

kapicorp / tesoro

Licence: Apache-2.0 license
Kapitan Admission Controller Webhook

Programming Languages

python
139335 projects - #7 most used programming language
Smarty
1635 projects
Makefile
30231 projects
shell
77523 projects
Dockerfile
14818 projects

Labels

kuberneteswebhooksecret-managementkubernetes-secretskubernetes-manifestskapitantesoroadmission-controlleradmission-webhookkapitan-secretmutating-webhooks

Projects that are alternatives of or similar to tesoro

vault-sidecar-injector
Kubernetes admission webhook for secure, seamless and dynamic handling of secrets in your applications
Stars: ✭ 55 (+71.88%)
Mutual labels:  kubernetes-secrets, admission-controller, admission-webhook
Helm Secrets
Successor of zendesk/helm-secrets - A helm plugin that help manage secrets with Git workflow and store them anywhere
Stars: ✭ 165 (+415.63%)
Mutual labels:  secret-management, kubernetes-secrets
k8s-vault-webhook
A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers
Stars: ✭ 107 (+234.38%)
Mutual labels:  webhook, secret-management
Helm Secrets
DEPRECATED A helm plugin that help manage secrets with Git workflow and store them anywhere
Stars: ✭ 1,129 (+3428.13%)
Mutual labels:  secret-management, kubernetes-secrets
k8s-mutate-webhook
A playground to build a very crude k8s mutating webhook in Go
Stars: ✭ 55 (+71.88%)
Mutual labels:  webhook, admission-webhook
kube-secrets-init
Kubernetes mutating webhook for `secrets-init` injection
Stars: ✭ 106 (+231.25%)
Mutual labels:  secret-management, admission-webhook
imageswap-webhook
Image Swap Mutating Admission Webhook for Kubernetes
Stars: ✭ 72 (+125%)
Mutual labels:  webhook, admission-webhook
secode
Utility for encoding/decoding Kubernetes secrets (base64)
Stars: ✭ 23 (-28.12%)
Mutual labels:  kubernetes-secrets
DiscordWebhook
Discord webhook library in C#
Stars: ✭ 22 (-31.25%)
Mutual labels:  webhook
notify
推送通知 sdk(Bark、Chanify、钉钉群机器人、Discord、邮件、飞书群机器人、Gitter、Google Chat、iGot、Logger、Mattermost、Now Push、PushBack、Push、PushDeer、PushPlus、QQ 频道机器人、Rocket Chat、Server 酱、Showdoc Push、Slack、Telegram、Webhook、企业微信群机器人、息知、Zulip)。
Stars: ✭ 335 (+946.88%)
Mutual labels:  webhook
k8-byexamples-ingress-controller
Deploy an ingress with SSL termination out of the box!
Stars: ✭ 28 (-12.5%)
Mutual labels:  kubernetes-manifests
pr-reviews-reminder-action
A GitHub Action to send Slack/Teams notification for Pull Request that are waiting for reviewers.
Stars: ✭ 18 (-43.75%)
Mutual labels:  webhook
kapitan-reference
Reference structure for Kapitan - alpha version
Stars: ✭ 34 (+6.25%)
Mutual labels:  kapitan
drf-stripe-subscription
An out-of-box Django REST framework solution for payment and subscription management using Stripe.
Stars: ✭ 42 (+31.25%)
Mutual labels:  webhook
tilt-pitch
Simple replacement for the Tilt Hydrometer mobile apps and TiltPi with lots of features
Stars: ✭ 32 (+0%)
Mutual labels:  webhook
load management
This repository contains Go utilities for managing isolation and improving reliability of multi-tenant systems.
Stars: ✭ 50 (+56.25%)
Mutual labels:  admission-controller
argocd-vault-plugin
An Argo CD plugin to retrieve secrets from Secret Management tools and inject them into Kubernetes secrets
Stars: ✭ 404 (+1162.5%)
Mutual labels:  secret-management
laravel-dingtalk
✨基于laravel5.5开发的钉钉机器人、支持多个钉钉群
Stars: ✭ 18 (-43.75%)
Mutual labels:  webhook
GitHub-Webhook-Bot
It is a Simple Telegram Bot, which will listen to GitHub Webhook and inform via Telegram
Stars: ✭ 33 (+3.13%)
Mutual labels:  webhook
Limg
An image hosting service powered by Laravel
Stars: ✭ 41 (+28.13%)
Mutual labels:  webhook
View All Similar Projects ➔

Tesoro

Kapitan Secrets Controller for Kubernetes

Build Status

Tesoro allows you to seamlessly apply Kubernetes manifests with Kapitan secret refs. As it runs in the cluster, it will reveal embedded Kapitan secret refs when they are applied. It supports all types of Kapitan secrets backends: AWS KMS, GCP KMS, Vault with more coming up.

Example

Say you have just setup Tesoro and have this compiled kapitan project:

compiled/my-target/manifests
├── my-deployment.yml
└── my-secret.yml
...

And you have the Tesoro label and kapitan secret ref in my-secret.yml:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
  labels:
    tesoro.kapicorp.com: enabled
type: Opaque
stringData:
  secret_sauce: ?{gkms:my/secret1:deadbeef}

All you have to do is compile refs in embedded format:

$ kapitan compile --embed-refs

...and you will notice that your kapitan secret ref in my-secret.yml now looks like:

...
type: Opaque
stringData:
  secret_sauce: ?{gkms:eyJkYXRhIjogImNtVm1JREVnWkdGMFlRPT0iLCAiZW5jb2RpbmciOiAib3JpZ2luYWwiLCAidHlwZSI6ICJiYXNlNjQifQ==:embedded}}
...

This means that your kubernetes manifests and secrets are ready to be applied:

$ kubectl apply -f compiled/my-target/manifests/my-secret.yml
secret/my-secret configured

Why is this a big deal? Because without Tesoro, you'd have to reveal secrets locally when applying:

$ kapitan refs --reveal -f compiled/my-target/manifests/my-secret.yml | kubectl apply -f -

How do I know my secret refs revealed succesfully? You would see the following:

$ kubectl apply -f compiled/my-target/manifests/my-secret.yml
Error from server: error when creating "compiled/my-target/manifests/my-secret.yml": admission webhook "tesoro-admission-controller.tesoro.svc" denied the request: Kapitan reveal failed

You can also setup Prometheus monitoring for this. See Monitoring

Setup

Tesoro is a Kubernetes Admission Controller Mutating Webhook, which means that you'll need at minimum a Kubernetes v1.9 cluster.

Example Kubernetes Config

You'll find the predefined example config in the k8s/ directory. Please make sure you read about setting up Mutating Webhooks here!

1 - ClusterRole and ClusterRoleBinding

$ kubectl apply -f k8s/clusterrole.yaml
$ kubectl apply -f k8s/clusterrolebinding.yaml

2 - Tesoro Namespace

We will be running the webhook in the tesoro namespace

$ kubectl apply -f k8s/tesoro_namespace.yaml

3 - Tesoro Webhook Config & Certs

For convenience, you'll find valid certificates in tesoro_mutatingwebhook.yaml and tesoro_secret.yaml for testing purposes only.

Security advice: FOR PROD, PLEASE SETUP YOUR OWN.

$ kubectl -n tesoro apply -f k8s/tesoro_secret.yaml
$ kubectl -n tesoro apply -f k8s/tesoro_service.yaml
$ kubectl -n tesoro apply -f k8s/tesoro_deployment.yaml

Verify the tesoro pod is up and running:

$ kubectl -n tesoro get pods
NAME                                           READY   STATUS    RESTARTS   AGE
tesoro-admission-controller-584b9d87c6-p69bx   1/1     Running   0          1m

And finally apply the MutatingWebhookConfiguration:

$ kubectl apply -f k8s/tesoro_mutatingwebhook.yaml

4 - Try a Kubernetes Manifest with Secret Refs

This manifest with a valid ref, should work:

$ kubectl apply -f tests/k8s/nginx_deployment.yml
deployment.apps/nginx-deployment created

The following manifest with a bogus ref, should fail:

kubectl apply -f tests/k8s/nginx_deployment_bad.yml
Error from server: error when creating "nginx_deployment_bad.yml": admission webhook "tesoro-admission-controller.tesoro.svc" denied the request: Kapitan reveal failed

Helm chart

This repository includes a helm chart which offers an alternative way to install Tesoro

kubectl create ns tesoro
helm install tesoro chart -n tesoro

Vault support

In order to support Vault references Tesoro will need a VAULT token, this can be created by logging into vault using your defined auth backend. This example uses github:

vault login -no-print -method=github token=XXXXXXXXXXX

The helm chart is installed specifying the addition of a VAULT_TOKEN

helm install tesoro chart -n tesoro --set env.VAULT_TOKEN=$(cat ~/.vault-token)
Upgrading the token

Should the token expire, it can be refreshed as follows:

vault login -no-print -method=github token=XXXXXXXXXXX
helm upgrade tesoro chart -n tesoro --set env.VAULT_TOKEN=$(cat ~/.vault-token)
Using a secret to store Vault token

A more secure option is to save the token as a secret

kubectl create secret generic vault-creds --from-literal=VAULT_TOKEN=$(cat ~/.vault-token) -n tesoro
helm install tesoro chart --set secrets[0]=vault-creds -n tesoro

Monitoring

Tesoro exposes a Prometheus endpoint (by default on port 9095) and the following metrics:

Metric Description Type
tesoro_requests_total Tesoro total requests counter
tesoro_requests_failed_total Tesoro failed requests counter
kapitan_reveal_requests_total Kapitan reveal total requests counter
kapitan_reveal_requests_failed_total Kapitan reveal failed requests counter
kapitan_reveal_retry_requests Kapitan reveal retry requests counter

Handling Failure

Since revealing relies on external services (such as Google KMS, AWS KMS, etc...), Tesoro will retry up to 3 times should a reveal request fail.

Local testing

Run tesoro with python -m tesoro --verbose locally (uses 8080 port by default) and test it's endpoints by sending the same requests that k8s would send to it. E.g.


cd tests/

curl -X POST -H "Content-Type: application/json" --data @request.json http://localhost:8080/mutate
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].