A tool for importing secrets from a pre-existing secrets management systems (e.g. Vault, Secrets Manager) into a SealedSecret :shushing_face:
The missing part of Sealed Secrets. :closed_lock_with_key:
kubeseal-convert
aims to reduce the friction of importing secrets from a pre-existing secret management systems (e.g. Vault, AWS Secrets Manager, etc..) into a SealedSecret
.
Instead of:
kubeseal
Just run kubeseal-convert
with the secret path.
Same as the kubeseal
command, kubeseal-convert
is un-opinionated. It won't commit the secret to Git, apply it to the cluster, or save it on a specific path.
The SealedSecret
will be printed to STDOUT
. You can run it as is, as part of CI, or as part of a Job.
./kubeseal-convert <SECRETS_STORE> <PATH> --namespace <NS_NAME> --name <SECRET_NAME>
Name | Description | Require | Type |
---|---|---|---|
-n , --name |
The Sealed Secret name. | V |
string |
--namespace |
The Sealed Secret namespace. If not specified, taken from k8s context. | string |
|
-a , --annotations |
Sets k8s annotations. KV pairs, comma separated. | []string |
|
-l , --labels |
Sets k8s lables. KV pairs, comma separated. | []string |
|
-h , --help |
Display help. | none |
|
-v , --version |
Display version. | none |
:white_check_mark: AWS Secrets Manager
:white_check_mark: Hashicorp Vault
:white_check_mark: Azure Key Vault - Contributed by @kroonprins
:white_check_mark: Google Secrets Manager
The AWS client rely on AWS local configuration variables - config file, environment variables, etc.
In order to work with the Vault provider, two environment variables needs to be set - VAULT_TOKEN
and VAULT_ADDR
.
Currently, only kv-v2
is supported.
The <SECRETS_STORE>
should contain the vault name from the vault full uri https://<SECRETS_STORE>.vault.azure.net
.
Authentication to the vault happens either via environment variables, managed identity, or via the az cli (az login
).
It's highly recommended to use the full secret format: projects/<PROJECT_ID>/secrets/<SECRET_NAME>/versions/<VERSION>
If not, kubeseal-convert
will try to extract the project ID from the default credentials chain, and will use the latest version of the secret.
make
command installedkubeseal
command installed, and a valid communication to the sealed secrets controller.git clone https://github.com/EladLeev/kubeseal-convert && cd kubeseal-convert
make build
make init-dev
./kubeseal-convert sm MyTestSecret --namespace test-ns --name test-secret --annotations converted-by=kubeseal-convert,env=dev --labels test=abc > secret.yaml
or
./kubeseal-convert vlt "mydomain/data/MyTestSecret" --namespace test-ns --name test-secret --annotations converted-by=kubeseal-convert,src=vault --labels test=abc > secret.yaml
This will:
MyTestSecret
from AWS Secrets Manager / Hashicorp Vaulttest-ns
namespacetest-secret
secret.yaml
to be push to the repo safelyPlease read CONTRIBUTING.md for details of submitting a pull requests.
This project is licensed under the Apache License - see the LICENSE file for details.