kubeseal-convert
The missing part of Sealed Secrets.
Motivation
kubeseal-convert aims to reduce the friction of importing secrets from a pre-existing secret management systems (e.g. Vault, AWS Secrets Manager, etc) into a SealedSecret.
Instaed of:
- Going into AWS Secret Manager
- Retrieve the secret who needs to be migrated
- Create a "normal" k8s secret
- Fill out the values on the secret
- Run
kubeseal
Just run kubeseal-convert with the secret path.
Table of Contents
Flags & Options
Same as the kubeseal command, kubeseal-convert is un-opinionated. It won't commit the secret to Git, apply it to the cluster, or save it on a specific path.
The SealedSecret will be printed to STDOUT. You can run it as is, as part of CI, or as part of a Job.
./kubeseal-convert <SECRETS_STORE> <PATH> --namespace <NS_NAME> --name <SECRET_NAME>
Flags
| Name | Description | Require | Type |
|---|---|---|---|
-n, --name |
The Sealed Secret name. | V |
string |
--namespace |
The Sealed Secret namespace. If not specified, taken from k8s context. | string |
|
-a, --annotations |
Sets k8s annotations. KV pairs, comma separated. | []string |
|
-l, --labels |
Sets k8s lables. KV pairs, comma separated. | []string |
|
-h, --help |
Display help. | none |
|
-v, --version |
Display version. | none |
Supported SM Systems
AWS Secrets Manager
The AWS client rely on AWS local configuration variables - config file, environment variables, etc.
Hashicorp Vault
In order to work with the Vault provider, two environment variables needs to be set - VAULT_TOKEN and VAULT_ADDR.
Currently, only kv-v2 is supported.
Azure Key Vault
The <SECRETS_STORE> should contain the vault name from the vault full uri https://<SECRETS_STORE>.vault.azure.net. Authentication to the vault happens either via environment variables, managed identity, or via the az cli (az login).
Build from source
Prerequisites
- Go version 1.19+
makecommand installedkubesealcommand installed, and a valid communication to the sealed secrets controller.
Building Steps
- Clone this repository
git clone https://github.com/EladLeev/kubeseal-convert && cd kubeseal-convert
- Build using Makefile
make build
- [optional] Set up local env for testing
make init-dev
- [optional] Run the example
Examples
./kubeseal-convert sm MyTestSecret --namespace test-ns --name test-secret --annotations converted-by=kubeseal-convert,env=dev --labels test=abc > secret.yaml
or
./kubeseal-convert vlt "mydomain/data/MyTestSecret" --namespace test-ns --name test-secret --annotations converted-by=kubeseal-convert,src=vault --labels test=abc > secret.yaml
This will:
- Retrieve a secret called
MyTestSecretfrom AWS Secrets Manager / Hashicorp Vault - Create it on
test-nsnamespace - Call it
test-secret - Add few annotations and labels
- Save it as
secret.yamlto be push to the repo safely
Contributing
Please read CONTRIBUTING.md for details of submitting a pull requests.
License
This project is licensed under the Apache License - see the LICENSE file for details.
Bump golang.org/x/net from 0.4.0 to 0.7.0
Bumps golang.org/x/net from 0.4.0 to 0.7.0.
Commits
8e2b117http2/hpack: avoid quadratic complexity in hpack decoding547e7edhttp2: avoid referencing ResponseWrite.Write parameter after returning39940adhtml: parse comments per HTML spec87ce33ego.mod: update golang.org/x dependencies415cb6dall: fix some comments7e3c19call: correct typos in comments296f09ahttp2: case insensitive handling for 100-continuef8411danettest: fix tests on dragonfly and js/wasm8e0e7d8go.mod: update golang.org/x dependencies7805fdchttp2: rewrite inbound flow control trackingDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)@dependabot use these labelswill set the current labels as the default for future PRs for this repo and language@dependabot use these reviewerswill set the current reviewers as the default for future PRs for this repo and language@dependabot use these assigneeswill set the current assignees as the default for future PRs for this repo and language@dependabot use this milestonewill set the current milestone as the default for future PRs for this repo and languageYou can disable automated security fix PRs for this repo from the Security Alerts page.