当前位置: 首页 > 软件库 > 云计算 > 云原生 >

externalsecret-operator

授权协议 Apache-2.0 License
开发语言 Google Go
所属分类 云计算、 云原生
软件类型 开源软件
地区 不详
投 递 者 太叔昆
操作系统 跨平台
开源组织
适用人群 未知
 软件概览

External Secret Operator

github actions

This operator reads information from a third party servicelike AWS Secrets Manager or AWS SSM and automatically injects the values as Kubernetes Secrets.

Disclaimer ⚠️

This project will not be maintained anymore, and we are trying to concentrate afforts on this new colaboration:

external-secrets/external-secrets

Website: https://www.external-secrets.io/

Table of Contents

Features

  • Secrets are refreshed from time to time allowing you to rotate secrets in your providers and still keep everything up to date inside your k8s cluster.
  • Change the refresh interval of the secrets to match your needs. You can even make it 10s if you need to debug something (beware of API rate limits).
  • For the AWS Backend we support both simple secrets and binfiles.
  • You can get speciffic versions of the secrets or just get latest versions of them.
  • If you change something in your ExternalSecret CR, the operator will reconcile it (Even if your refresh interval is big).
  • AWS Secret Manager, Credstash (AWS KMS), Azure Key Vault, Google Secret Manager and Gitlab backends supported currently!

Quick start

Using Kustomize

Install the operator CRDs

  • Install CRDs
make install

What does it do?

Given a secret defined in AWS Secrets Manager:

% aws secretsmanager create-secret \
  --name=example-externalsecret-key \
  --secret-string='this string is a secret'

and updated aws credentials to be used in config/credentials/kustomization.yaml with valid AWS credentials:

%cat config/credentials/kustomization.yaml
resources:
# - credentials-gsm.yaml
- credentials-asm.yaml
# - credentials-dummy.yaml
# - credentials-gitlab.yaml
# - credentials-akv.yaml
%cat config/credentials/credentials-asm.yaml
...
credentials.json: |-
    {
      "accessKeyID": "AKIA...",
      "secretAccessKey": "cmFuZG9tS2VZb25Eb2Nz...",
      "sessionToken": "" 
    }

and an SecretStore resource definition like this one:

% cat config/samples/store_v1alpha1_secretstore.yaml
apiVersion: store.externalsecret-operator.container-solutions.com/v1alpha1
kind: SecretStore
metadata:
  name: secretstore-sample
spec:
  controller: staging
  store:
    type: asm
    auth: 
      secretRef: 
        name: externalsecret-operator-credentials-asm
    parameters:
      region: eu-west-2

and an ExternalSecret resource definition like this one:

% cat config/samples/secrets_v1alpha1_externalsecret.yaml
apiVersion: secrets.externalsecret-operator.container-solutions.com/v1alpha1
kind: ExternalSecret
metadata:
  name: externalsecret-sample
spec:
  storeRef: 
    name: externalsecret-operator-secretstore-sample
  data:
    - key: example-externalsecret-key
      version: latest

The operator fetches the secret from AWS Secrets Manager and injects it as asecret:

% make deploy
% kubectl get secret externalsecret-operator-externalsecret-sample -n externalsecret-operator-system \
  -o jsonpath='{.data.example-externalsecret-key}' | base64 -d
this string is a secret

Architecture

In this article you can find more information about the architecture and design choices.

Here's a high-level diagram of how things are put together.

Running tests

Requirements:

  • Golang 1.15 or later
  • Kubebuilder installed at /usr/local/kubebuilder

Then just:

make test

CRDs Spec

Other Supported Backends

We would like to support as many backends as possible and it should be rather easy to write new ones. Currently supported backends are:

Provider Backend Doc
AWS Secrets Manager Info AWS Secrets Manager Backend Docs
Credstash Info Credstash (AWS KMS) Docs
GCP Secret Manager Info GCP Secret Manager Backend Docs
Gitlab CI/CD Variables Info Gitlab CI/CD Variables Backend Docs
Azure Key Vault Info Azure Key Vault Backend Docs

Contributing

Yay! We welcome and encourage contributions to this project!

See our contributing document andIssues forplanned improvements and additions.

 相关资料
  • 问题内容: 我正在使用大型JS库在画布中执行某些绘图操作。查看库代码(进行相应更改),我遇到了“ ||” 以肯定不应该为布尔值的方式使用运算符。这是否意味着这是一个不同的运算符,还是我缺少明显的内容?下面是一个示例: 问题答案: 该运营商的计算结果为第一个操作数,如果它可以转换为true或最后一个操作数,否则。因此,在您的示例中将是它是否存在,否则是声明的函数。

  • 问题内容: 假设字符串a和b: 在幕后,他们是同一回事吗? 这里将concat反编译为参考。我也希望能够反编译该+运算符,以查看其作用。 问题答案: 首先,语义上略有不同。如果a是,则抛出一个,但将把原来的值a就好像它是null。此外,该方法仅接受值,而+操作员会将参数无提示地转换为(使用对象的方法)。因此,该方法在接受方面更加严格。 要深入了解,请写一个简单的类 ; 现在与一起拆卸(包括在Sun

  • 条款17: 在operator=中检查给自己赋值的情况 做类似下面的事时,就会发生自己给自己赋值的情况: class x { ... }; x a; a = a; // a赋值给自己 这种事做起来好象很无聊,但它完全是合法的,所以看到程序员这样做不要感到丝 毫的怀疑。更重要的是,给自己赋值的情况还可以以下面这种看起来更隐蔽的形式 出现: a = b; 如果b是a的另一个名字(例如,已被初始化为a的

  • 条款16: 在operator=中对所有数据成员赋值 条款45说明了如果没写赋值运算符的话,编译器就会为你生成一个,条款11则说明了为什么你会经常不喜欢编译器为你生成的这个赋值运算符,所以你会想能否有个两全其美的办法,让编译器生成一个缺省的赋值运算符,然后可以有选择地重写不喜欢的部分。这是不可能的!只要想对赋值过程的某一个部分进行控制,就必须负责做赋值过程中所有的事。 实际编程中,这意味着写赋值运

  • 条款15: 让operator=返回*this的引用 c++的设计者bjarne stroustrup下了很大的功夫想使用户自定义类型尽可能地和固定类型的工作方式相似。这就是为什么你可以重载运算符,写类型转换函数(见条款m5),控制赋值和拷贝构造函数,等等。他做了这么多努力,那你最少也该继续做下去。 让我们看看赋值。用固定类型的情况下,赋值操作可以象下面这样链起来: int w, x, y, z

  • 条款10: 如果写了operator new就要同时写operator delete 让我们回过头去看看这样一个基本问题:为什么有必要写自己的operator new和operator delete? 答案通常是:为了效率。缺省的operator new和operator delete具有非常好的通用性,它的这种灵活性也使得在某些特定的场合下,可以进一步改善它的性能。尤其在那些需要动态分配大量的但