lastpass-operator

module

v1.0.1 Latest Latest Go to latest Published: Jul 12, 2019 License: MIT

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/niqdev/lastpass-operator

Links

Open Source Insights

README ¶

lastpass-operator

A Kubernetes Operator to manage secrets stored in LastPass password manager

How it works

Suppose you have some credentials stored in LastPass

$ lpass show example/my-secret --json
[
  {
    "id": "8190226423897406876",
    "name": "my-secret",
    "fullname": "example/my-secret",
    "username": "whoami",
    "password": "s3cr3t",
    "last_modified_gmt": "1562690587",
    "last_touch": "0",
    "group": "example",
    "url": "https://lastpass.com",
    "note": "{\"myKey\":\"myValue\"}"
  }
]

Define a LastPass Custom Resource to automatically manage the lifecycle of your secrets in Kubernetes

$ cat example/edgelevel_v1alpha1_lastpass_cr.yaml
apiVersion: edgelevel.com/v1alpha1
kind: LastPass
metadata:
  name: example-lastpass
spec:
  secretRef:
    group: example
    name: my-secret
    withUsername: true
    withPassword: true
    withUrl: true
    withNote: true
  syncPolicy:
    enabled: true
    refresh: 10

# create a custom resource
$ kubectl apply -f example/edgelevel_v1alpha1_lastpass_cr.yaml

The operator will take care of create native Kubernetes secrets and keep them up to date that if they change

# verify
$ kubectl get lastpass
$ kubectl get secrets

# inspect
$ kubectl get secret example-lastpass-8190226423897406876 -o yaml
apiVersion: v1
data:
  NOTE: eyJteUtleSI6Im15VmFsdWUifQ==
  PASSWORD: czNjcjN0
  URL: aHR0cHM6Ly9sYXN0cGFzcy5jb20=
  USERNAME: d2hvYW1p
kind: Secret
metadata:
  annotations:
    fullname: example/my-secret
    group: example
    id: "8190226423897406876"
    lastModifiedGmt: "1562690587"
    lastTouch: "0"
    name: my-secret
  creationTimestamp: "2019-07-09T15:00:13Z"
  labels:
    app: lastpass-operator
  name: example-lastpass-8190226423897406876
  namespace: default
  ownerReferences:
  - apiVersion: edgelevel.com/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: LastPass
    name: example-lastpass
    uid: 0687d5a7-5f02-4ee4-a6c4-011c734f4149
  resourceVersion: "113312"
  selfLink: /api/v1/namespaces/default/secrets/example-lastpass-8190226423897406876
  uid: 382008d2-8999-444d-86c8-e4f29eecbe9f
type: Opaque

# check values
$ echo 'czNjcjN0' | base64 --decode
s3cr3t
$ echo 'eyJteUtleSI6Im15VmFsdWUifQ==' | base64 --decode | jq -c
{"myKey":"myValue"}

Metrics are exposed by default in Prometheus format, see an example

# port forward
kubectl port-forward service/lastpass-operator -n lastpass 8080:8383

# request metrics
http :8080/metrics

Considerations

If you want to understand how the operator works, you should have a look at the Reconcile method defined in lastpass_controller and at the CustomResourceDefinition
The diagram below explains the core logic of the reconcile loop

reconcile-loop

The recommended way to install the operator in a cluster is by applying the provided Helm chart
TODO for a working example you should have a look at niqdev/do-k8s
This operator has been mainly developed to simplify the secret management of low security environments, if you are a security paranoid you should audit this project and assess if it meets the security standard of your organization
The operator, for obvious reasons, won't work if you have MFA enabled on LastPass or your credentials "Require Password Reprompt"
Once this Argo CD feature will be implemented it should allow to bind secrets directly to an Application

Development

# download source
mkdir -p $GOPATH/src/github.com/edgelevel && cd $_
git clone git@github.com:edgelevel/lastpass-operator.git
cd lastpass-operator

# install dependencies
dep ensure

Run locally outside the cluster on minkube

# requires virtualbox
minikube start

# apply crd
kubectl apply -f chart/templates/crd.yaml

# run locally
export OPERATOR_NAME=lastpass-operator
export LASTPASS_USERNAME=myUsername
export LASTPASS_PASSWORD=myPassword
operator-sdk up local --namespace=default --verbose

Run as a Deployment inside the cluster

# apply chart
helm template \
  --values chart/values.yaml \
  --set lastpass.username="myUsername" \
  --set lastpass.password="myPassword" \
  chart/ | kubectl apply -n lastpass -f -

Debug issues

# verify logs
kubectl logs deployment/lastpass-operator -n lastpass -f

# access container
kubectl exec -it lastpass-operator-XXX sh -n lastpass
lpass --version
ls -la .lpass/

Publish a new version on DockerHub

# build and publish manually (unsafe)
make docker-push tag=X.Y.Z docker-password=XYZ

# build and publish using travis
git tag vX.Y.Z
git push origin --tags

TODO

add extra Prometheus metrics
publish to OperatorHub

Directories ¶

Path	Synopsis
cmd
manager
pkg
apis
apis/edgelevel/v1alpha1 Package v1alpha1 contains API Schema definitions for the edgelevel v1alpha1 API group +k8s:deepcopy-gen=package,register +groupName=edgelevel.com	Package v1alpha1 contains API Schema definitions for the edgelevel v1alpha1 API group +k8s:deepcopy-gen=package,register +groupName=edgelevel.com
controller
controller/lastpass
lastpass
utils
version

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL