cryptopus-k8s-secretcontroller

command module

v0.1.0 Latest Latest Go to latest Published: Nov 5, 2018 License: Apache-2.0 Imports: 12 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/puzzle/cryptopus-k8s-secretcontroller

Links

Open Source Insights

README ¶

Cryptopus Secret Controller for Kubernetes / OpenShift

This repository implements a Controller for watching SecretClaim Resources as defined with a CustomResourceDefinition (CRD) and create Secrets bound to a Cryptopus Account

SecretClaims

Sample Yaml File for a SecretClaim:

apiVersion: cryptopussecretcontroller.puzzle.ch/v1alpha1
kind: SecretClaim
metadata:
  name: mysecretclaim
spec:
  secretName: mysecret
  id: [ 2256 ]
  refreshTime: 3600
  cryptopusSecret: my-namespace/cryptopusapi

secretName: is the Name of the Secret that will be created
id: Array of Ids for the Cryptopus Account to get
refreshTime: if > 0, Time after which a Secrets gets an Update with Values from Cryptopus. Defaults to 0, and the CONTROLLER_DEFAULT_REFRESH_TIME (See Env Vars) is used
cryptopusSecret: Secret with Cryptopus API Details (URL, Username, Token). For Details see below

Secret with Cryptopus API Details

You have to create the following Secret with Details of your Cryptopus Instance.

apiVersion: v1
kind: Secret
metadata:
  name: cryptopusapi
type: Opaque
data:
  CRYPTOPUS_API:
  CRYPTOPUS_API_USER:
  CRYPTOPUS_API_TOKEN:

CRYPTOPUS_API: Cryptopus API URL (base64 encoded)
CRYPTOPUS_API_USER: Cryptopus API User with Access to the Accounts you need (base64 encoded)
CRYPTOPUS_API_TOKEN: Cryptopus Token for API User (base64 encoded)

Resulting Secret

The Secret created by a SecretClaim will have a username, password key in the Data Section. username and password will have the account id as suffix. This allows to store more than one Cryptopus Account in the Secret.

apiVersion: v1
data:
  password_2256: ...
  username_2256: ....
kind: Secret
metadata:
  name: mysecret
type: Opaque

Troubleshooting

Look at the Event Section in the SecretClaim to get some Information if something is not working

oc describe SecretClaim mysecretclaim
Events:
  Type    Reason  Age    From                       Message
  ----    ------  ----   ----                       -------
  Normal  Synced  2m11s  cryptopussecretcontroller  SecretClaim synced successfully

Remarks

In Openshift 3.7, Secrets are not automaticly deleted when the SecretClaim is deleted. So you have you remove it manually, otherwise you can't use the same Secret Name again with a SecretClaim

Configuration

Custom Resource Definition

This has to be created befor the Cryptopus Secret Controller is running

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: secretclaims.cryptopussecretcontroller.puzzle.ch
spec:
  group: cryptopussecretcontroller.puzzle.ch
  version: v1alpha1
  names:
    kind: SecretClaim
    plural: secretclaims
  scope: Namespaced

Cluster Role for the ServiceAccount under which the Controller returns

We need the following ClusterRole

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: puzzle:app:cryptopussecretcontroller
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - '*'
- apiGroups:
  - cryptopussecretcontroller.puzzle.ch
  resources:
  - secretclaims
  - secretclaims/finalizers
  verbs:
  - '*'
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
  - update

and a ClusterRoleBinding to the ServiceAccount which the SecretController Pod runs as:

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: puzzle:app:cryptopussecretcontroller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: puzzle:app:cryptopussecretcontroller
subjects:
- kind: ServiceAccount
  name: default
  namespace: my-namespace

Environment Variables

CONTROLLER_DEFAULT_REFRESH_TIME

Default Refresh Time when not Set in SecretClaim. If not set, defaults to 300 [s]

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
pkg
apis/cryptopussecretcontroller
apis/cryptopussecretcontroller/v1alpha1 Package v1alpha1 is the v1alpha1 version of the API.	Package v1alpha1 is the v1alpha1 version of the API.
client/clientset/versioned This package has the automatically generated clientset.	This package has the automatically generated clientset.
client/clientset/versioned/fake This package has the automatically generated fake clientset.	This package has the automatically generated fake clientset.
client/clientset/versioned/scheme This package contains the scheme of the automatically generated clientset.	This package contains the scheme of the automatically generated clientset.
client/clientset/versioned/typed/cryptopussecretcontroller/v1alpha1 This package has the automatically generated typed clients.	This package has the automatically generated typed clients.
client/clientset/versioned/typed/cryptopussecretcontroller/v1alpha1/fake Package fake has the automatically generated clients.	Package fake has the automatically generated clients.
client/informers/externalversions
client/informers/externalversions/cryptopussecretcontroller
client/informers/externalversions/cryptopussecretcontroller/v1alpha1
client/informers/externalversions/internalinterfaces
client/listers/cryptopussecretcontroller/v1alpha1
controller
signals

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL